From patchwork Fri Jan 9 09:28:31 2026 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Ankur Tyagi X-Patchwork-Id: 78314 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 9AC37D14899 for ; Fri, 9 Jan 2026 09:28:56 +0000 (UTC) Received: from mail-pl1-f172.google.com (mail-pl1-f172.google.com [209.85.214.172]) by mx.groups.io with SMTP id smtpd.msgproc01-g2.6692.1767950933394655837 for ; Fri, 09 Jan 2026 01:28:53 -0800 Authentication-Results: mx.groups.io; dkim=pass header.i=@gmail.com header.s=20230601 header.b=YTUInd/g; spf=pass (domain: gmail.com, ip: 209.85.214.172, mailfrom: ankur.tyagi85@gmail.com) Received: by mail-pl1-f172.google.com with SMTP id d9443c01a7336-2a0a33d0585so28113475ad.1 for ; Fri, 09 Jan 2026 01:28:53 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1767950932; x=1768555732; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:from:to:cc:subject:date:message-id:reply-to; bh=UsZlpe7v4C1fB5n4jMTJlKw7vJT8QhlmXqh+U0ADh94=; b=YTUInd/gPuvgIXllPjP/AWtaPt1EerK8fDXtb1lUGijY3jS+WBSOmWavUMzSMhqdaA r/3/nUqbTWXpY0JUW364EAIN9P3YGgRlG5V5sqk72VnFFq5PBwpTCCLZW5Idyut13o4M 33IAHhAsyosxxiidrlFTMvIMO63vbQ60jmoiFqBKKHCLVS5G6D/y1mq05qwLeufZley7 qrtZh49g3mfNXFXdWq0bm5uDbhu0yYZAx/OKtjrzJOQeYcFrBd4YCnUWaTrxPXwpJwS9 LqYARPmmfPhTBxZuT2K2T2U5kxfLA8LIOvuXsI0bV4HU2LDptCb3YGCRMQfZywNDvkV/ qUXg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1767950932; x=1768555732; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:x-gm-gg:x-gm-message-state:from:to:cc:subject:date :message-id:reply-to; bh=UsZlpe7v4C1fB5n4jMTJlKw7vJT8QhlmXqh+U0ADh94=; b=Rfx37lwrhNna9XJcyOyaQjnpAsxdlLVfWEyV5POdi0MeyA29RNikuTE/yrSK9AyBYr A3qVYiYKifVZYVO96yE1G1FLTO0gj+z7dhobdTyjZg2WjogGCJvMjIFX0sjA2Tax6XG8 +wcaYpnCbghdPvMchbGLUM/SMrd61pW04RwlFmwpjI5PhWQ1sgOHn6JCrWDZlktSymoO pHEUESCCIMJ8J4xrD+kFgDpfZXwXen1AssXK6aS4W1c4XGAmAertb9gJ3rnNI/Itso0g RZKuu+Kj0jEn3pvYUoPzdBNFWN/7SEWzXw9cxlVcma8tHaaX20HO16Kng5a4Z4FDsOml 5OjA== X-Gm-Message-State: AOJu0Ywqw6ibKQggGyr43GsIYsu0Qx3dEQc3qsmzoATp7s2kxm7ImkNX vNqrObMov3WEUVzwzNHiTxH8rBoC4wtxbKTLn/okANPxLbT+gwjXJ4okwHXVaw== X-Gm-Gg: AY/fxX4Vp4dzrN4HZSUbxLlZe0jO7Z6QQgqOH75T0mrHB8p4/rWk6pTmEbj8tE5bety DicospBCFDJ3cD9WoJ4wYCN/CD0N5ZwoNhJI9/BgEGxs2jpmtyyqgr7KhKYMBj9OdwKgPDo8Koy fyPLu9wheHEPcc2xpMiTdDOq9UgCEKWohnnLaQd2Vy6+5VXhoDfaYW93o1Ior5UWmyRu3PcfRUI 6clFZnnEJ20y9SSSQNEikv/vL9uSSi1ugnqcU2apUS9prz9pukrfRnd3ea7VEpAo1lKsOBTqYV3 oayPDDWAZZyecJOD0VEQypNKnHV6dmKYty0NYkRmvzavOt3YWNXk6vyfYAs4kwEEE/uD16qDjOO WFp+/j88NMUmuJD+V5n+1GWEg+Esn+oV4TyGEkZmj4jgWjk3hz0MYB/MNQ6cUJ1h1qoulEzqAOH 01FhTlQZpUwyK/jFya3EDVjgg= X-Google-Smtp-Source: AGHT+IEWz5K9kPe/ay02PTo757U14LkxtQayWFkYH1Z7HksyZERO+N2jARC9QmsObtzyam9tDzHLOQ== X-Received: by 2002:a17:902:cf05:b0:2a0:97d2:a264 with SMTP id d9443c01a7336-2a3ee49015dmr81787325ad.37.1767950932427; Fri, 09 Jan 2026 01:28:52 -0800 (PST) Received: from NVAPF55DW0D-IPD.. ([167.103.127.10]) by smtp.gmail.com with ESMTPSA id d9443c01a7336-2a3e3cc88e3sm99529295ad.75.2026.01.09.01.28.50 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 09 Jan 2026 01:28:51 -0800 (PST) From: ankur.tyagi85@gmail.com To: openembedded-devel@lists.openembedded.org Cc: Ankur Tyagi Subject: [oe][meta-networking][scarthgap][PATCH 01/12] cifs-utils: patch CVE-2025-2312 Date: Fri, 9 Jan 2026 22:28:31 +1300 Message-ID: <20260109092843.1924568-1-ankur.tyagi85@gmail.com> X-Mailer: git-send-email 2.43.0 MIME-Version: 1.0 List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Fri, 09 Jan 2026 09:28:56 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-devel/message/123279 From: Ankur Tyagi Details: https://nvd.nist.gov/vuln/detail/CVE-2025-2312 Signed-off-by: Ankur Tyagi --- .../cifs/cifs-utils/CVE-2025-2312.patch | 136 ++++++++++++++++++ .../recipes-support/cifs/cifs-utils_7.0.bb | 4 +- 2 files changed, 139 insertions(+), 1 deletion(-) create mode 100644 meta-networking/recipes-support/cifs/cifs-utils/CVE-2025-2312.patch diff --git a/meta-networking/recipes-support/cifs/cifs-utils/CVE-2025-2312.patch b/meta-networking/recipes-support/cifs/cifs-utils/CVE-2025-2312.patch new file mode 100644 index 0000000000..3e62b0f1c3 --- /dev/null +++ b/meta-networking/recipes-support/cifs/cifs-utils/CVE-2025-2312.patch @@ -0,0 +1,136 @@ +From faf6ce0abd6fbca95721eb88754add9c0c700a5c Mon Sep 17 00:00:00 2001 +From: Ritvik Budhiraja +Date: Tue, 19 Nov 2024 06:07:58 +0000 +Subject: [PATCH] CIFS.upcall to accomodate new namespace mount opt + +NOTE: This patch is dependent on one of the previously sent patches: +[PATCH] CIFS: New mount option for cifs.upcall namespace resolution +which introduces a new mount option called upcall_target, to +customise the upcall behaviour. + +Building upon the above patch, the following patch adds functionality +to handle upcall_target as a mount option in cifs.upcall. It can have 2 values - +mount, app. +Having this new mount option allows the mount command to specify where the +upcall should happen: 'mount' for resolving the upcall to the host +namespace, and 'app' for resolving the upcall to the ns of the calling +thread. This will enable both the scenarios where the Kerberos credentials +can be found on the application namespace or the host namespace to which +just the mount operation is "delegated". +This aids use cases like Kubernetes where the mount +happens on behalf of the application in another container altogether. + +Signed-off-by: Ritvik Budhiraja +Signed-off-by: Steve French + +CVE: CVE-2025-2312 +Upstream-Status: Backport [https://git.samba.org/?p=cifs-utils.git;a=commit;h=89b679228cc1be9739d54203d28289b03352c174] +(cherry picked from commit 89b679228cc1be9739d54203d28289b03352c174) +Signed-off-by: Ankur Tyagi +--- + cifs.upcall.c | 55 +++++++++++++++++++++++++++++++++++++++++++-------- + 1 file changed, 47 insertions(+), 8 deletions(-) + +diff --git a/cifs.upcall.c b/cifs.upcall.c +index 52c0328..0883afa 100644 +--- a/cifs.upcall.c ++++ b/cifs.upcall.c +@@ -953,6 +953,13 @@ struct decoded_args { + #define MAX_USERNAME_SIZE 256 + char username[MAX_USERNAME_SIZE + 1]; + ++#define MAX_UPCALL_STRING_LEN 6 /* "mount\0" */ ++ enum upcall_target_enum { ++ UPTARGET_UNSPECIFIED, /* not specified, defaults to app */ ++ UPTARGET_MOUNT, /* upcall to the mount namespace */ ++ UPTARGET_APP, /* upcall to the application namespace which did the mount */ ++ } upcall_target; ++ + uid_t uid; + uid_t creduid; + pid_t pid; +@@ -969,6 +976,7 @@ struct decoded_args { + #define DKD_HAVE_PID 0x20 + #define DKD_HAVE_CREDUID 0x40 + #define DKD_HAVE_USERNAME 0x80 ++#define DKD_HAVE_UPCALL_TARGET 0x100 + #define DKD_MUSTHAVE_SET (DKD_HAVE_HOSTNAME|DKD_HAVE_VERSION|DKD_HAVE_SEC) + int have; + }; +@@ -979,6 +987,7 @@ __decode_key_description(const char *desc, struct decoded_args *arg) + size_t len; + char *pos; + const char *tkn = desc; ++ arg->upcall_target = UPTARGET_UNSPECIFIED; + + do { + pos = index(tkn, ';'); +@@ -1077,6 +1086,31 @@ __decode_key_description(const char *desc, struct decoded_args *arg) + } + arg->have |= DKD_HAVE_VERSION; + syslog(LOG_DEBUG, "ver=%d", arg->ver); ++ } else if (strncmp(tkn, "upcall_target=", 14) == 0) { ++ if (pos == NULL) ++ len = strlen(tkn); ++ else ++ len = pos - tkn; ++ ++ len -= 14; ++ if (len > MAX_UPCALL_STRING_LEN) { ++ syslog(LOG_ERR, "upcall_target= value too long for buffer"); ++ return 1; ++ } ++ if (strncmp(tkn + 14, "mount", 5) == 0) { ++ arg->upcall_target = UPTARGET_MOUNT; ++ syslog(LOG_DEBUG, "upcall_target=mount"); ++ } else if (strncmp(tkn + 14, "app", 3) == 0) { ++ arg->upcall_target = UPTARGET_APP; ++ syslog(LOG_DEBUG, "upcall_target=app"); ++ } else { ++ // Should never happen ++ syslog(LOG_ERR, "Invalid upcall_target value: %s, defaulting to app", ++ tkn + 14); ++ arg->upcall_target = UPTARGET_APP; ++ syslog(LOG_DEBUG, "upcall_target=app"); ++ } ++ arg->have |= DKD_HAVE_UPCALL_TARGET; + } + if (pos == NULL) + break; +@@ -1440,15 +1474,20 @@ int main(const int argc, char *const argv[]) + * acceptably in containers, because we'll be looking at the correct + * filesystem and have the correct network configuration. + */ +- rc = switch_to_process_ns(arg->pid); +- if (rc == -1) { +- syslog(LOG_ERR, "unable to switch to process namespace: %s", strerror(errno)); +- rc = 1; +- goto out; ++ if (arg->upcall_target == UPTARGET_APP || arg->upcall_target == UPTARGET_UNSPECIFIED) { ++ syslog(LOG_INFO, "upcall_target=app, switching namespaces to application thread"); ++ rc = switch_to_process_ns(arg->pid); ++ if (rc == -1) { ++ syslog(LOG_ERR, "unable to switch to process namespace: %s", strerror(errno)); ++ rc = 1; ++ goto out; ++ } ++ if (trim_capabilities(env_probe)) ++ goto out; ++ } else { ++ syslog(LOG_INFO, "upcall_target=mount, not switching namespaces to application thread"); + } + +- if (trim_capabilities(env_probe)) +- goto out; + + /* + * The kernel doesn't pass down the gid, so we resort here to scraping +@@ -1495,7 +1534,7 @@ int main(const int argc, char *const argv[]) + * look at the environ file. + */ + env_cachename = +- get_cachename_from_process_env(env_probe ? arg->pid : 0); ++ get_cachename_from_process_env((env_probe && (arg->upcall_target == UPTARGET_APP)) ? arg->pid : 0); + + rc = setuid(uid); + if (rc == -1) { diff --git a/meta-networking/recipes-support/cifs/cifs-utils_7.0.bb b/meta-networking/recipes-support/cifs/cifs-utils_7.0.bb index c78bbae7b8..4e27491bba 100644 --- a/meta-networking/recipes-support/cifs/cifs-utils_7.0.bb +++ b/meta-networking/recipes-support/cifs/cifs-utils_7.0.bb @@ -5,7 +5,9 @@ LICENSE = "GPL-3.0-only & LGPL-3.0-only" LIC_FILES_CHKSUM = "file://COPYING;md5=d32239bcb673463ab874e80d47fae504" SRCREV = "316522036133d44ed02cd39ed2748e2b59c85b30" -SRC_URI = "git://git.samba.org/cifs-utils.git;branch=master" +SRC_URI = "git://git.samba.org/cifs-utils.git;branch=master \ + file://CVE-2025-2312.patch \ +" S = "${WORKDIR}/git" DEPENDS += "libtalloc" From patchwork Fri Jan 9 09:28:32 2026 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Ankur Tyagi X-Patchwork-Id: 78318 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id A147ED185DC for ; Fri, 9 Jan 2026 09:29:06 +0000 (UTC) Received: from mail-pl1-f175.google.com (mail-pl1-f175.google.com [209.85.214.175]) by mx.groups.io with SMTP id smtpd.msgproc01-g2.6693.1767950936283342783 for ; Fri, 09 Jan 2026 01:28:56 -0800 Authentication-Results: mx.groups.io; dkim=pass header.i=@gmail.com header.s=20230601 header.b=MjXeQ42R; spf=pass (domain: gmail.com, ip: 209.85.214.175, mailfrom: ankur.tyagi85@gmail.com) Received: by mail-pl1-f175.google.com with SMTP id d9443c01a7336-2a0c20ee83dso38542925ad.2 for ; Fri, 09 Jan 2026 01:28:56 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1767950935; x=1768555735; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=NPyTcFQUTPfVLzxLxZAV684S19HdWRKph8vGkfF7hMI=; b=MjXeQ42RHzu7CzfXcFDImoNGxD+eLJ4zrmgL3WS53gFotKLtPvoC2xd24XfdLx8u1H fxIgG9CX5VR/iC8+n8v9jyulLYZ6i0j+QFXEgm57v/AjSXvGxJFu3S6iBXbF3orwz1RB K3O6RZif/0sf7CIPTn/u6Xln0wcBVjplgwmNoE9Ra+igx2DsWfP8+iGI2fYd4VZWL/Bw srHO9o/07y7UXxOuM+PjzcSjrPAI/eeZmj6OkKnVsMWUWNm3VZnJsxO7ROChFDMtUGKa blg113PPz2Cjh3xOpPETwFCNaB37/zGq9NBRDFLMQegu5UXcvV0jAKbaFXre8RrtZwb2 Hzxg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1767950935; x=1768555735; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-gg:x-gm-message-state:from :to:cc:subject:date:message-id:reply-to; bh=NPyTcFQUTPfVLzxLxZAV684S19HdWRKph8vGkfF7hMI=; b=t3g8BbVZ+IBwy27o7oNZXcm4KGLqEToaTD6cupGO7lt0AL1YPeuEy3fjzA1MA4KU/S goxgaM+Zs1ir3nNszPaZ4jWsr838wBbmk7IXfcR9vbG/nX/7t0GFnKDi2pK4pHtzMkWI nunJLdzwGmE7gQgh0EEGGRkk40Pp9i/yk7tOIId/sFVAT6xEHQQp8OtGevq6vLgvHOlr KglLJaZ3s4A6ljFPT+E/TScgVK9cmrB+T8/ECQjqPuRDpr8p/cGwL8RYz8QickrHAdfE O8Zik4DJthZkAd/TXW3ilz+7JHEUhkyADZk5gkFOWgNLt32FxRF8mBH2qgNWmztwDWsR YWRA== X-Gm-Message-State: AOJu0Yx2am93EMetqhEom2jxzpqji+xbZuFQm/lL/+O9kOLdCgrx7oGi 4mlNEnvgQ6b1geO+KQAPAbuhIsTA58qN7NXf1tmwVSfHGFxefNhjNMEhFNM7kA== X-Gm-Gg: AY/fxX4yasj9rDgtFUi08qGBOEoIcMdyXBdFGEJaskoHLZmNtrjWZVC7Xw46hWOxlDi MWmIpsQX904NYK+/BSagFKiPF9Bzp93xDCoQsc66WuZavIn9/VzvnBO7dJjrIRLfmWlVWGZo0aT aDrBqbZFmag+FDyyV4ln7y0CkOD+D2gI9kINkrAzqgxGOyj3bHsgYAYgl/k7axO7tQPoysnl6fK qPEemaokGngrv10eO9WTCcTvIcCsF8v3h85B4n0RSIWpsGeInxGbD64dwGyAlXZUEhCJ+yEA+0n fV3B7qkLvVwHRO1TAUoBcz0FP39hTfV2zVh3MWSKHyxS9LPceFXu0vyw4M3UGpfAGDSisPWOwFC 06haNJ1a2kDZaJu1pVANgCo44d7PmrUoJqscYh2cjl4LS6tGq3VOdQoLNaeKmzIdtqV9+shb8qk BIvJ/g8eZS5kbCJNHvo54Wgp8= X-Google-Smtp-Source: AGHT+IE8U+Z/rYUncYSz0oUXDdq4aFBiEhF3th301L5oCKfn3nS9UPfPDI9MEkIW7cZoKWq/NUIjeA== X-Received: by 2002:a17:902:ef0c:b0:2a0:9e9d:e8cf with SMTP id d9443c01a7336-2a3ee4bb973mr93523355ad.57.1767950935319; Fri, 09 Jan 2026 01:28:55 -0800 (PST) Received: from NVAPF55DW0D-IPD.. ([167.103.127.10]) by smtp.gmail.com with ESMTPSA id d9443c01a7336-2a3e3cc88e3sm99529295ad.75.2026.01.09.01.28.52 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 09 Jan 2026 01:28:55 -0800 (PST) From: ankur.tyagi85@gmail.com To: openembedded-devel@lists.openembedded.org Cc: Gyorgy Sarvari , Khem Raj , Ankur Tyagi Subject: [oe][meta-networking][scarthgap][PATCH 02/12] dante: upgrade 1.4.3 -> 1.4.4 Date: Fri, 9 Jan 2026 22:28:32 +1300 Message-ID: <20260109092843.1924568-2-ankur.tyagi85@gmail.com> X-Mailer: git-send-email 2.43.0 In-Reply-To: <20260109092843.1924568-1-ankur.tyagi85@gmail.com> References: <20260109092843.1924568-1-ankur.tyagi85@gmail.com> MIME-Version: 1.0 List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Fri, 09 Jan 2026 09:29:06 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-devel/message/123280 From: Gyorgy Sarvari License-Update: copyright year bump Changelog: - Fix potential security issue CVE-2024-54662, related to "socksmethod" use in client/hostid-rules. - Add a missing call to setgroups(2). - Patch to fix compilation with libminiupnp 2.2.8. - Client connectchild optimizations. - Client SIGIO handling improvements. - Various configure/build fixes. - Updated to support TCP_EXP1 version of TCP hostid format. https://www.inet.no/dante/announce-1.4.4 Signed-off-by: Gyorgy Sarvari Signed-off-by: Khem Raj Signed-off-by: Ankur Tyagi --- .../dante/{dante_1.4.3.bb => dante_1.4.4.bb} | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) rename meta-networking/recipes-protocols/dante/{dante_1.4.3.bb => dante_1.4.4.bb} (90%) diff --git a/meta-networking/recipes-protocols/dante/dante_1.4.3.bb b/meta-networking/recipes-protocols/dante/dante_1.4.4.bb similarity index 90% rename from meta-networking/recipes-protocols/dante/dante_1.4.3.bb rename to meta-networking/recipes-protocols/dante/dante_1.4.4.bb index 4badff8bbd..3a290d31d6 100644 --- a/meta-networking/recipes-protocols/dante/dante_1.4.3.bb +++ b/meta-networking/recipes-protocols/dante/dante_1.4.4.bb @@ -9,11 +9,11 @@ what could be described as a non-transparent Layer 4 router." HOMEPAGE = "http://www.inet.no/dante/" LICENSE = "BSD-3-Clause" -LIC_FILES_CHKSUM = "file://LICENSE;md5=edd508404db7339042dfc861a3a690ad" +LIC_FILES_CHKSUM = "file://LICENSE;md5=b3a8e7dc09bb720460f28c9d3796afa5" SRC_URI = "https://www.inet.no/dante/files/dante-${PV}.tar.gz \ " -SRC_URI[sha256sum] = "418a065fe1a4b8ace8fbf77c2da269a98f376e7115902e76cda7e741e4846a5d" +SRC_URI[sha256sum] = "1973c7732f1f9f0a4c0ccf2c1ce462c7c25060b25643ea90f9b98f53a813faec" # without --without-gssapi, config.log will contain reference to /usr/lib # as a consequence of GSSAPI path being set to /usr by default. From patchwork Fri Jan 9 09:28:33 2026 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Ankur Tyagi X-Patchwork-Id: 78316 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id A14EBD185F5 for ; Fri, 9 Jan 2026 09:29:06 +0000 (UTC) Received: from mail-pl1-f173.google.com (mail-pl1-f173.google.com [209.85.214.173]) by mx.groups.io with SMTP id smtpd.msgproc01-g2.6694.1767950938964436318 for ; Fri, 09 Jan 2026 01:28:59 -0800 Authentication-Results: mx.groups.io; dkim=pass header.i=@gmail.com header.s=20230601 header.b=W8qP7hYP; spf=pass (domain: gmail.com, ip: 209.85.214.173, mailfrom: ankur.tyagi85@gmail.com) Received: by mail-pl1-f173.google.com with SMTP id d9443c01a7336-2a2ea96930cso29575465ad.2 for ; Fri, 09 Jan 2026 01:28:58 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1767950938; x=1768555738; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=P8T0kKatXBHkf81ZqZ2W54SIVE8Q9Dy/hft15B5So1g=; b=W8qP7hYPA2yIJYYvTaEG2NLouNbxzdKOob5axMW5c5285g3rB2SvcmWe+9ZTrEUnUD dWCCcvDUS2Jj3yy3f/3wRVpoBnszY8NVLgJuP4BDLaVEGhTnU6wC1iklilLuNA5qgp11 K5v2UnaEu/lvdyaBv/5A2aSs2Upn7QEaA0y7golZ/vbrNcYdNF89dEIkif/r44SfvapR DBGVe+8kngKMk9dyeqiGTEJO4jZ9k2ZZfMMR5OLmcHKRf0ulwOkGz7nL1n8/RCfQ9GfY gtyhLwzSKq8IezNS2Chgfs+uTXrrYBmpoU/mQr1mCA/AK2DI1uI6valJdC6UCODJtH0u Zi/g== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1767950938; x=1768555738; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-gg:x-gm-message-state:from :to:cc:subject:date:message-id:reply-to; bh=P8T0kKatXBHkf81ZqZ2W54SIVE8Q9Dy/hft15B5So1g=; b=op+1aVY8+mVaXrUHjKPJnt1rWlcc132UzJpLXQOyRg71yYK2aBZ1KlW0loKifPmewZ e4KD7Qybpxbca+zewnIo3gCyM7Yw3ml/o/6MZXvRf16cbtxXh9c0ybtjqVBInn8SxHbW U/vSPA2LVEFUakJ9KoSbbNp6yhh4AmFaOFmLXey19J1vJqu8CthP4K3jmLSLvcIRuMyf 2UCoQpsFWZ8lbLR27+D+r0Y6tOftkDkLPskwop6TU8kfiOM+6UaARiDqZnS/Jpn9i64k 9dvs328Vl0e+OXFMoE6LTbTo3QEqN5KDPwnL1bO8S2UH8YGODofn2AxhKleHvcUW+jjo bm2w== X-Gm-Message-State: AOJu0YxRVDk4tIPrbA2nlDXbQgBb/gkWuGd49v7KQEFS0g3D/xlLtmRu r2Rw+CFaDDXSpX51ZfRDb1oOcWhqXpFK0I2DuqyhKgkbuuR0MIzOn+qPncjQOA== X-Gm-Gg: AY/fxX4t0BXhQcOhWfc2HKodrcZeVoJF5sd718kesNHJJMWcvMTyg069L1JV4a0csiT eaSP/VOF6W5Vr84vB+WgixjVoiYR6GmFEeNX36eb+8HoSwkBDKGFnBmenLcxndzf/tv6OUk1FXQ Mzltqjk6/33iSZGHRx46UHSL4HD0Cz3GPW69xC1XArxdcAw7hIOdmRUQDAgesE+KEy/nyTw4acB bBexlDRpfQ1qu6M40TZ/ndOPv8y/f/R+2jkbQME6JHsA3Xko8k7RdgJ3nUPMzjXfvx+nENy4dt0 w2bnV9KpcEmUMFe/g1ZWDQbrX8bydvJaSR2+JZvUSF4yj5bv6ljhuxVOGAvY6u7x9G2vWkRBS4K VrL0OrheD/yPb3IC5piu7+upc04l8aAs2UJhqXrWM/ldN3aLur3lvVSpqyH05wh+OHP9ASq5wCp HhL/nRx1mD+cizz+zzH5KOev8= X-Google-Smtp-Source: AGHT+IHJBbP344BF6Q/M4RLRn16Bu45kYpR3YoqOIu8a4kaaaPZwDtef56uddSb3v1UvxMhP+3z6fg== X-Received: by 2002:a17:903:2284:b0:2a1:3cd8:d2df with SMTP id d9443c01a7336-2a3ee51385emr94596915ad.54.1767950938020; Fri, 09 Jan 2026 01:28:58 -0800 (PST) Received: from NVAPF55DW0D-IPD.. ([167.103.127.10]) by smtp.gmail.com with ESMTPSA id d9443c01a7336-2a3e3cc88e3sm99529295ad.75.2026.01.09.01.28.55 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 09 Jan 2026 01:28:57 -0800 (PST) From: ankur.tyagi85@gmail.com To: openembedded-devel@lists.openembedded.org Cc: Khem Raj , Ankur Tyagi Subject: [oe][meta-networking][scarthgap][PATCH 03/12] dante: Add _GNU_SOURCE for musl builds Date: Fri, 9 Jan 2026 22:28:33 +1300 Message-ID: <20260109092843.1924568-3-ankur.tyagi85@gmail.com> X-Mailer: git-send-email 2.43.0 In-Reply-To: <20260109092843.1924568-1-ankur.tyagi85@gmail.com> References: <20260109092843.1924568-1-ankur.tyagi85@gmail.com> MIME-Version: 1.0 List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Fri, 09 Jan 2026 09:29:06 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-devel/message/123281 From: Khem Raj This helps build fixes e.g. cpuset_t definitions etc. glibc builds have _GNU_SOURCE defined inherently. Signed-off-by: Khem Raj (cherry picked from commit 848bac20ea27afddc3843c41ad105843ad167177) Signed-off-by: Ankur Tyagi --- meta-networking/recipes-protocols/dante/dante_1.4.4.bb | 2 ++ 1 file changed, 2 insertions(+) diff --git a/meta-networking/recipes-protocols/dante/dante_1.4.4.bb b/meta-networking/recipes-protocols/dante/dante_1.4.4.bb index 3a290d31d6..2fa2767e86 100644 --- a/meta-networking/recipes-protocols/dante/dante_1.4.4.bb +++ b/meta-networking/recipes-protocols/dante/dante_1.4.4.bb @@ -29,6 +29,8 @@ CPPFLAGS += "-P" CFLAGS += "-I${STAGING_INCDIR}/tirpc" LIBS += "-ltirpc" +CFLAGS:append:libc-musl = " -D_GNU_SOURCE" + REQUIRED_DISTRO_FEATURES = "pam" EXTRA_AUTORECONF = "-I ${S}" From patchwork Fri Jan 9 09:28:34 2026 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Ankur Tyagi X-Patchwork-Id: 78317 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id AE393D1D485 for ; Fri, 9 Jan 2026 09:29:06 +0000 (UTC) Received: from mail-pl1-f179.google.com (mail-pl1-f179.google.com [209.85.214.179]) by mx.groups.io with SMTP id smtpd.msgproc01-g2.6695.1767950941269648119 for ; Fri, 09 Jan 2026 01:29:01 -0800 Authentication-Results: mx.groups.io; dkim=pass header.i=@gmail.com header.s=20230601 header.b=jynx4ta/; spf=pass (domain: gmail.com, ip: 209.85.214.179, mailfrom: ankur.tyagi85@gmail.com) Received: by mail-pl1-f179.google.com with SMTP id d9443c01a7336-2a0a33d0585so28113945ad.1 for ; Fri, 09 Jan 2026 01:29:01 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1767950940; x=1768555740; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=afy3kq14KwBzfMfBZApxrtc+VdiSbpcnXXrHDzyTJlY=; b=jynx4ta/2oaZkkXiULsuSvEU07lx0z+3W/hS6I7gBs+Luv0RRQj/gdA2evXaL6PloT qAQPA3K7Vt1w7aNusYIzX0CAuKfnRC9g8maOuVttD35rpDjY6qtmezTDSGIxIZDMj8jJ E12lC/zu4Ibcb3Kd1aFXaVR/+fm1MeVG9VM2NYR1CZwlAGmwtoszED70yu2vgKHTVEHd gLKnwtPX/tB3hry/6d8emgSTb2FmhfVROGvoB2TvASUZDn/h48E/PelvkSzwQXl3fEZ3 Yi6jSMqDJAXVsKxf+goBRMp0V1g7ySWMqkrDUrYPTzwyZzBXAWSkNM2HZPJpQOLfgWPo UMUg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1767950940; x=1768555740; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-gg:x-gm-message-state:from :to:cc:subject:date:message-id:reply-to; bh=afy3kq14KwBzfMfBZApxrtc+VdiSbpcnXXrHDzyTJlY=; b=EAtwBxjPNprzw416WDFzz3XHh3W/6M7Ovx+B8Rzys8PV4cl2hSMP0PavCvUV/cvFEc yRwH0AtSGngZGGy+U3WKSZs/8VDpsqioEmiXyqRQg55ugb0+5IkqgUUNyHE5nfvLUT5a 3zSxuuWLjZBCeIttfb06l/1ab26zz91DKLN4d7lDgFJVI8EM0dw1TQajl6EydgrQlN64 Sw18S8jfwEaneRORDJ1mHf1vxL0fOBihp3K3vIrZ9VMMwa4flqZjWUZ2R/OrmrXBbZGO RTF3SHjCqad/hMRVX44UVdgjXFa4he/sZ897/LJOTRpsPIJ7XvVdKIAyFkFrAE9Gl/Cn m6XQ== X-Gm-Message-State: AOJu0YzcEYAMUILT8AHM6aNeOpszwh7rF+pEqi5Cj0RJ0SVZf5HLzS30 9b9bRSPPfWtgaWEJdt9EhmTT8zay6wQk0vwtOPrDJV1p2pwyfFsrFq2Fkr+Cdg== X-Gm-Gg: AY/fxX5aG50gnRVnxFRdJPtkNYPY7XmGsLi4SExthNugk9Hvfc7mwtPY0yUP2M9jZiq z7iabxvIDpGrQcdUmYI2vk99PHMKhNk232Lua9wtzzEtGiZdb4JeGzdV0LnqI7gEb4o9RGGjVMF XSCS6mYi5FE+QTkeUVoh8lmiYj14uq+H3zJ4bUCQBpUtsuBRdg14An3mDBTuAdZdynRwPpzrZ5O eczELIi6S4nQx7dxex3sTwezxggfzPh0ksgOKp5juKjhHegWvnzRQChNEKNNER/jrWT1iroFi5C z+TRtRbQ/uUawb82rHG/THSAY2eCflLhX2fZTcj1LAhmMpbudGYkXxR5g0nbic9LNnpqpdayrnz L0Am2XyufRVcBK9GRDV2lUdAV7uphpXC/Ip8z+5MAR/9Pi5k9CggByrxD0sVA8VUYcMFZnVBZkM jS2QEl2AOGS9ZmFh4nmXqRPxY= X-Google-Smtp-Source: AGHT+IErAEXFi74uDTQAa8dQOaHvy2JzpPrpoN8YeBIXh8w8tNUpJp1IjLcwCRxNuFAMXYmT2oyyHQ== X-Received: by 2002:a17:903:2f85:b0:29d:9f5a:e0d1 with SMTP id d9443c01a7336-2a3ee443db3mr74910395ad.27.1767950940342; Fri, 09 Jan 2026 01:29:00 -0800 (PST) Received: from NVAPF55DW0D-IPD.. ([167.103.127.10]) by smtp.gmail.com with ESMTPSA id d9443c01a7336-2a3e3cc88e3sm99529295ad.75.2026.01.09.01.28.58 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 09 Jan 2026 01:29:00 -0800 (PST) From: ankur.tyagi85@gmail.com To: openembedded-devel@lists.openembedded.org Cc: Ankur Tyagi Subject: [oe][meta-networking][scarthgap][PATCH 04/12] frr: ignore CVE-2024-44070 Date: Fri, 9 Jan 2026 22:28:34 +1300 Message-ID: <20260109092843.1924568-4-ankur.tyagi85@gmail.com> X-Mailer: git-send-email 2.43.0 In-Reply-To: <20260109092843.1924568-1-ankur.tyagi85@gmail.com> References: <20260109092843.1924568-1-ankur.tyagi85@gmail.com> MIME-Version: 1.0 List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Fri, 09 Jan 2026 09:29:06 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-devel/message/123282 From: Ankur Tyagi Details: https://nvd.nist.gov/vuln/detail/CVE-2024-44070 The PR[1] fixing this CVE was backported[2] to stable/9.1 and commit[3] exists in the current version so we can ignore it. $ git tag --contains 21cd931 | grep frr-9.1.3 frr-9.1.3 [1] https://github.com/FRRouting/frr/pull/16497 [2] https://github.com/FRRouting/frr/pull/16504 [3] https://github.com/FRRouting/frr/commit/21cd931a5f9303e12104c72ce31ca383c0c57514 Signed-off-by: Ankur Tyagi --- meta-networking/recipes-protocols/frr/frr_9.1.3.bb | 2 ++ 1 file changed, 2 insertions(+) diff --git a/meta-networking/recipes-protocols/frr/frr_9.1.3.bb b/meta-networking/recipes-protocols/frr/frr_9.1.3.bb index c5f626a35a..f75ce20ab3 100644 --- a/meta-networking/recipes-protocols/frr/frr_9.1.3.bb +++ b/meta-networking/recipes-protocols/frr/frr_9.1.3.bb @@ -135,3 +135,5 @@ USERADD_PARAM:${PN} = "--system --home ${localstatedir}/run/frr/ -M -g frr -G fr FILES:${PN} += "${datadir}/yang" BBCLASSEXTEND = "native" + +CVE_STATUS[CVE-2024-44070] = "fixed-version: The current version (9.1.3) contains the fix." From patchwork Fri Jan 9 09:28:35 2026 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Ankur Tyagi X-Patchwork-Id: 78319 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id BEB52D1D48A for ; Fri, 9 Jan 2026 09:29:06 +0000 (UTC) Received: from mail-pl1-f174.google.com (mail-pl1-f174.google.com [209.85.214.174]) by mx.groups.io with SMTP id smtpd.msgproc01-g2.6696.1767950943786100637 for ; Fri, 09 Jan 2026 01:29:03 -0800 Authentication-Results: mx.groups.io; dkim=pass header.i=@gmail.com header.s=20230601 header.b=a7LHJoyy; spf=pass (domain: gmail.com, ip: 209.85.214.174, mailfrom: ankur.tyagi85@gmail.com) Received: by mail-pl1-f174.google.com with SMTP id d9443c01a7336-2a0d67f1877so33947205ad.2 for ; Fri, 09 Jan 2026 01:29:03 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1767950943; x=1768555743; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=tqfqw5OiQYH8z/Gcn/71tBo09CdJ2zUfQQPQAlo6DBQ=; b=a7LHJoyyKeyHBiNZNnzME3HQx5PRB0sEnNw+M8IJwGA1by817iUm5Kbx0/xWvX2KmH sZ999qaDVcxKBH2z+i1iSdSLYr7zmvBQ7TeJfrhZ+bVU/FSbC4fssRuaSQilxu7AqRGw Dh4adc2J7QOSyloJV26Pkcc+zyAEeUUcttp1PNjCT1FB8nnj8gmudmbq/hFEf7+AuhSI VNm6TqMmy7FNIj/hs6vA8CawuUFmxiNxa9e4vaSAdZh7+NoMnqQvTKkhVM04zFwrFLWz /4KWkjNlBhBpgdWuKztrrxQyPkN5nbj80Qs4AZBj4uzF8AJv53Ibp6oPHs/iicFuonbN R4Kg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1767950943; x=1768555743; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-gg:x-gm-message-state:from :to:cc:subject:date:message-id:reply-to; bh=tqfqw5OiQYH8z/Gcn/71tBo09CdJ2zUfQQPQAlo6DBQ=; b=ibv6Z/R1IqiFDd8Sjg+wI05w/qzexU+IWbM1irwyBtVByhjERn0NRM1tj9yZjj0nJz N/KcNYQ2TzVQCjWJwqrUeB7MrcGJC3jrkXtuuQc3dbHgcQMvvU0CHmgtAud4AswNFPNb 5hxwUCKQWOjJ3J6oKlfjBuqIMNbNXKFbiEUAugIY5OpsSAlHZTX51a1zGXpi2l+PXSAz qaEnEkhOXltQRMDO4Jhov9Gxjqcyst+j4ns5ZyJI+/l5Bda0vM7x1F4dfYxmLUatwsqj XjI3KNtoyF4YB5obh4b1QgZ6P+tfuyXQt5EZ6YsUojKK8kVgH93Arx6KedR7Nw/+j+7h 8Jkw== X-Gm-Message-State: AOJu0YwPA1g99aLOExF8pxiDKPId81oGLeQZniF/X7NE6lmKb0iXI0mN RFzwVE9Lv1uZsmHgFbDrVy4ceFgDm7zxIMiUF/tUuUTYwZdWuPHX/KqR6gdokg== X-Gm-Gg: AY/fxX6VdOxUoiZaMCBE0VXqFlcyhPtlfBDljBKmU9APXDWbb9aILE5LcqXA1Hx6Ji9 t1BcbYJdzLjoJeTyM/33Xxxcz7Cz8GpXcwT3nKlN1YgyGfpZLHPzoziIULJHKmb1GkUxSR3m2OH LkCeFNRVDuTmhIY00xc30GzRD0VOqQ3CQJStI+p9o7fLAR4IGor8uHWfrCmL412Qx8Y6OOGEGPB c4SVLHj4z2W+VHJM4RrpCoM5oZiYAfUaljAHhIbRn8QHaEMJKi25TIBOWuW8JkRSNCQhI/G+/iM h8ODepJB3uqRaqLpGOGHyX91QEBpXp7cBlauSvGTsUXKMULdgEck5NorXet8ivNfUsTp1e6sONM 1ZldkH/0MMlP6K5odSrBmsIk4+o3I4U1GM/Lt6cpp1ot4ytoczW+J+9F5fkUrzETfAJonLsss1D 5IZCEm7Cxj5YvIKXUUsKAs/Yo= X-Google-Smtp-Source: AGHT+IHDMqt8OgaLyQb9qPu3QC+/GFtvCyhh0KyY9bV/RCRjF62bumUkxPGlmNAwABUqOugcVhKMFA== X-Received: by 2002:a17:902:e888:b0:2a0:e223:f6e6 with SMTP id d9443c01a7336-2a3ee4cb047mr92850965ad.46.1767950942942; Fri, 09 Jan 2026 01:29:02 -0800 (PST) Received: from NVAPF55DW0D-IPD.. ([167.103.127.10]) by smtp.gmail.com with ESMTPSA id d9443c01a7336-2a3e3cc88e3sm99529295ad.75.2026.01.09.01.29.00 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 09 Jan 2026 01:29:02 -0800 (PST) From: ankur.tyagi85@gmail.com To: openembedded-devel@lists.openembedded.org Cc: Ankur Tyagi Subject: [oe][meta-networking][scarthgap][PATCH 05/12] libcoap: patch CVE-2025-34468 Date: Fri, 9 Jan 2026 22:28:35 +1300 Message-ID: <20260109092843.1924568-5-ankur.tyagi85@gmail.com> X-Mailer: git-send-email 2.43.0 In-Reply-To: <20260109092843.1924568-1-ankur.tyagi85@gmail.com> References: <20260109092843.1924568-1-ankur.tyagi85@gmail.com> MIME-Version: 1.0 List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Fri, 09 Jan 2026 09:29:06 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-devel/message/123283 From: Ankur Tyagi Details: https://nvd.nist.gov/vuln/detail/CVE-2025-34468 Signed-off-by: Ankur Tyagi --- .../libcoap/libcoap/CVE-2025-34468.patch | 127 ++++++++++++++++++ .../recipes-devtools/libcoap/libcoap_4.3.4.bb | 1 + 2 files changed, 128 insertions(+) create mode 100644 meta-networking/recipes-devtools/libcoap/libcoap/CVE-2025-34468.patch diff --git a/meta-networking/recipes-devtools/libcoap/libcoap/CVE-2025-34468.patch b/meta-networking/recipes-devtools/libcoap/libcoap/CVE-2025-34468.patch new file mode 100644 index 0000000000..9aee64c3c2 --- /dev/null +++ b/meta-networking/recipes-devtools/libcoap/libcoap/CVE-2025-34468.patch @@ -0,0 +1,127 @@ +From f191ae30013c205a350cd897fe24d56dde2e593a Mon Sep 17 00:00:00 2001 +From: Jon Shallow +Date: Fri, 12 Sep 2025 10:07:41 +0100 +Subject: [PATCH] coap_address.c: Validate length of provided host name + +Host names larger than 255 bytes will cause an internal buffer overflow. + +Hostnames provided to coap_resolve_address_info() now have their length validated. + +Discovered by SecMate (https://secmate.dev). + +Sanity check host lengths when parsing a CoAP URI when using the coap_split_uri() +function. + +CVE: CVE-2025-34468 +Upstream-Status: Backport [https://github.com/obgm/libcoap/commit/30db3ea] +Signed-off-by: Ankur Tyagi +--- + examples/coap-client.c | 11 ++++++----- + src/coap_address.c | 9 +++++++-- + src/coap_uri.c | 20 +++++++++++++++++++- + 3 files changed, 32 insertions(+), 8 deletions(-) + +diff --git a/examples/coap-client.c b/examples/coap-client.c +index 18b6777f..8512fbbd 100644 +--- a/examples/coap-client.c ++++ b/examples/coap-client.c +@@ -822,6 +822,12 @@ cmdline_oscore(char *arg) { + static int + cmdline_uri(char *arg) { + ++ /* Sanity check the provided (Proxy)Uri */ ++ if (coap_split_uri((unsigned char *)arg, strlen(arg), &uri) < 0) { ++ coap_log_err("invalid CoAP URI '%s'\n", arg); ++ return -1; ++ } ++ + if (!proxy_scheme_option && proxy.host.length) { + /* create Proxy-Uri from argument */ + size_t len = strlen(arg); +@@ -836,11 +842,6 @@ cmdline_uri(char *arg) { + (unsigned char *)arg)); + + } else { /* split arg into Uri-* options */ +- if (coap_split_uri((unsigned char *)arg, strlen(arg), &uri) < 0) { +- coap_log_err("invalid CoAP URI\n"); +- return -1; +- } +- + /* Need to special case use of reliable */ + if (uri.scheme == COAP_URI_SCHEME_COAPS && reliable) { + if (!coap_tls_is_supported()) { +diff --git a/src/coap_address.c b/src/coap_address.c +index 2dabb366..6cd55ba5 100644 +--- a/src/coap_address.c ++++ b/src/coap_address.c +@@ -469,10 +469,15 @@ coap_resolve_address_info(const coap_str_const_t *address, + #endif /* COAP_AF_UNIX_SUPPORT */ + + memset(addrstr, 0, sizeof(addrstr)); +- if (address && address->length) ++ if (address && address->length) { ++ if (address->length >= sizeof(addrstr)) { ++ coap_log_warn("Host name too long (%zu > 255)\n", address->length); ++ return NULL; ++ } + memcpy(addrstr, address->s, address->length); +- else ++ } else { + memcpy(addrstr, "localhost", 9); ++ } + + memset((char *)&hints, 0, sizeof(hints)); + hints.ai_socktype = 0; +diff --git a/src/coap_uri.c b/src/coap_uri.c +index 6f658730..f2360ceb 100644 +--- a/src/coap_uri.c ++++ b/src/coap_uri.c +@@ -59,6 +59,15 @@ coap_uri_info_t coap_uri_scheme[COAP_URI_SCHEME_LAST] = { + { "coaps+ws", 443, 0, COAP_URI_SCHEME_COAPS_WS } + }; + ++/* ++ * Returns 0 All OK ++ * -1 Insufficient / Invalid parameters ++ * -2 No '://' ++ * -3 Ipv6 definition error or no host defined after scheme:// ++ * -4 Invalid port value ++ * -5 Port defined for Unix domain ++ * -6 Hostname > 255 chars ++ */ + static int + coap_split_uri_sub(const uint8_t *str_var, + size_t len, +@@ -165,8 +174,10 @@ coap_split_uri_sub(const uint8_t *str_var, + if (len && *p == '[') { + /* IPv6 address reference */ + ++p; ++ ++q; ++ --len; + +- while (len && *q != ']') { ++ while (len && *q != ']' && (isxdigit(*q) || *q == ':')) { + ++q; + --len; + } +@@ -197,6 +208,12 @@ coap_split_uri_sub(const uint8_t *str_var, + goto error; + } + ++ if ((int)(q - p) > 255) { ++ coap_log_warn("Host name length too long (%d > 255)\n", (int)(q - p)); ++ res = -6; ++ goto error; ++ } ++ + COAP_SET_STR(&uri->host, q - p, p); + } + +@@ -222,6 +239,7 @@ coap_split_uri_sub(const uint8_t *str_var, + + /* check if port number is in allowed range */ + if (uri_port > UINT16_MAX) { ++ coap_log_warn("Port number too big (%ld > 65535)\n", uri_port); + res = -4; + goto error; + } diff --git a/meta-networking/recipes-devtools/libcoap/libcoap_4.3.4.bb b/meta-networking/recipes-devtools/libcoap/libcoap_4.3.4.bb index da0cf50f92..efea6d24f8 100644 --- a/meta-networking/recipes-devtools/libcoap/libcoap_4.3.4.bb +++ b/meta-networking/recipes-devtools/libcoap/libcoap_4.3.4.bb @@ -12,6 +12,7 @@ SRC_URI = "git://github.com/obgm/libcoap.git;branch=main;protocol=https \ file://CVE-2024-0962.patch \ file://CVE-2024-31031.patch \ file://CVE-2025-59391.patch \ + file://CVE-2025-34468.patch \ " SRCREV = "5fd2f89ef068214130e5d60b7087ef48711fa615" From patchwork Fri Jan 9 09:28:36 2026 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Ankur Tyagi X-Patchwork-Id: 78315 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 98C1ED148A4 for ; Fri, 9 Jan 2026 09:29:06 +0000 (UTC) Received: from mail-pl1-f172.google.com (mail-pl1-f172.google.com [209.85.214.172]) by mx.groups.io with SMTP id smtpd.msgproc01-g2.6698.1767950946256574388 for ; Fri, 09 Jan 2026 01:29:06 -0800 Authentication-Results: mx.groups.io; dkim=pass header.i=@gmail.com header.s=20230601 header.b=V4vLAufT; spf=pass (domain: gmail.com, ip: 209.85.214.172, mailfrom: ankur.tyagi85@gmail.com) Received: by mail-pl1-f172.google.com with SMTP id d9443c01a7336-2a137692691so29406295ad.0 for ; Fri, 09 Jan 2026 01:29:06 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1767950945; x=1768555745; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=iUrKVs+I0xF5v1ERU2dQGai8PetcnExBwOjsKNma//8=; b=V4vLAufTVdEqgr2x4dLmJQWY2sUBNN71aALpsokIWkSz0WiKROxR5yRL0ys1m8lcfz lh0zcMe1loUijTCnBrHI3iLpg5PoaZprmguIYCWmeyN4FF/DrIcCdVa7T6cfGi4ucydu nEvDFjS6GmxhNrypy/HAA5DB8SPngdCkhSB/ZbJL6MVPT3IWf99a3eXQ6YjxWrFb8iN9 Ldh6y6aCPhRTbFXGMbYnvPBWtd9T1tz30PMPVfzojSH6HpnIpM1GOqpyV7oHA4kzU5jP RGBbl3xHgxu/w851U1946nBRjLC8l/U3WD9AzIvQ+rwKvW/X/UjbG00MST3qbXK7D6WG 7e4g== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1767950945; x=1768555745; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-gg:x-gm-message-state:from :to:cc:subject:date:message-id:reply-to; bh=iUrKVs+I0xF5v1ERU2dQGai8PetcnExBwOjsKNma//8=; b=qjzM98frE/njToszuoBmhvi/38bEBv9PVspah3FxrXjVFezHIK8NYqd8GlXsu8l07j 1QAwLddlgKaIgA7wZYRcP+FO2kuDLLAQql2WwXdeuJqgP4IUJGFDaQsgNW/Bma67ze+i ap+u5nI5/HaNhjATrjPS60jJaJUxuzXcxXYRSKyiUQ2zjyO5RdcZtKX4xhWjGndvvpcq 2oIpnOHcrwAiSQTvqoKXZKD7eGossdlMbFnMPHvfGjbPTxndFKCtTUONhHDIau8CMtQx Wpl0+B3ioSIxJN087NYbky4AHG2Yi9RSEajtLRM6rMjfgbzv0upoID70/EOeN7gBKPoF 1QkQ== X-Gm-Message-State: AOJu0YyAhZvgQn8qtkAunv43QBRYNv02+IDFxk+FWbaZGaCBjI0t2mOu R2sKFicb0V5byS81V/6oU8Tp5B3JvBZE1bY3EPQ8oimX6wjinKnNxj3FTDsJ1Q== X-Gm-Gg: AY/fxX5e6QZUM0z+XOWueHB2sY7/tKBY28KZCnFnsz4aOBIDVbwwcoVto4SP44d2cnh sqCP9lEMYmGRrDfKCOToG9BuXqYTsY8J/rEM+jubYJhSoC2ZXVJrASBUW3FWO6CjExHTvTQPhCg t7R+iTe87k+1ioFCYa4uqeShji0KEtjbwMvrPP+mJqpg+2DtYTv7OTrhsSq8JpBpCmZFgWvipFh +pztiEhd73QpaD+Ucz0l5kKBKsXORAqbvuejGLlhq17M3WLAQd5mYtL7za+rNH3Grn1CQscszHi C7heZ8x6WIf6KLOketLRAJPSvh86deHC/ayDsIs3XXLeNEZ30kQZH8CQn9VpIlqKFXgDY75a18T j2+yGLNs5pEjPZkHRNzyp0ElXvfqVi1kz6tQ9QVYHVnbz2y070ZQVcMQgnd/mXaNz7A0zcdD3mQ LRDLFBF5So/DdU0Zl2A1StCWvpLRXM1HaPsA== X-Google-Smtp-Source: AGHT+IHWsen1G9gbovp+uxGwzP8nfXaPO5BHAQ5TrvmqJoSE12JQbKdSm/udYNUEMRRXD17CkFmeLw== X-Received: by 2002:a17:903:40c9:b0:298:3aa6:c03d with SMTP id d9443c01a7336-2a3ee51bdd6mr96113195ad.57.1767950945355; Fri, 09 Jan 2026 01:29:05 -0800 (PST) Received: from NVAPF55DW0D-IPD.. ([167.103.127.10]) by smtp.gmail.com with ESMTPSA id d9443c01a7336-2a3e3cc88e3sm99529295ad.75.2026.01.09.01.29.03 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 09 Jan 2026 01:29:04 -0800 (PST) From: ankur.tyagi85@gmail.com To: openembedded-devel@lists.openembedded.org Cc: Ankur Tyagi Subject: [oe][meta-networking][scarthgap][PATCH 06/12] mtr: patch CVE-2025-49809 Date: Fri, 9 Jan 2026 22:28:36 +1300 Message-ID: <20260109092843.1924568-6-ankur.tyagi85@gmail.com> X-Mailer: git-send-email 2.43.0 In-Reply-To: <20260109092843.1924568-1-ankur.tyagi85@gmail.com> References: <20260109092843.1924568-1-ankur.tyagi85@gmail.com> MIME-Version: 1.0 List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Fri, 09 Jan 2026 09:29:06 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-devel/message/123284 From: Ankur Tyagi Details: https://nvd.nist.gov/vuln/detail/CVE-2025-49809 Signed-off-by: Ankur Tyagi --- .../mtr/mtr/CVE-2025-49809.patch | 39 +++++++++++++++++++ .../recipes-support/mtr/mtr_0.95.bb | 4 +- 2 files changed, 42 insertions(+), 1 deletion(-) create mode 100644 meta-networking/recipes-support/mtr/mtr/CVE-2025-49809.patch diff --git a/meta-networking/recipes-support/mtr/mtr/CVE-2025-49809.patch b/meta-networking/recipes-support/mtr/mtr/CVE-2025-49809.patch new file mode 100644 index 0000000000..f7d1b06934 --- /dev/null +++ b/meta-networking/recipes-support/mtr/mtr/CVE-2025-49809.patch @@ -0,0 +1,39 @@ +From 9b5107ff91b72c0104d9dbeee076f37f584ea4b4 Mon Sep 17 00:00:00 2001 +From: "R.E. Wolff" +Date: Sun, 29 Jun 2025 14:06:00 +0200 +Subject: [PATCH] Added protection against use of MTR_PACKET under special + circumstances + +CVE: CVE-2025-49809 +Upstream-Status: Backport [https://github.com/traviscross/mtr/commit/5226f105f087c29d3cfad9f28000e7536af91ac6] +(cherry picked from commit 5226f105f087c29d3cfad9f28000e7536af91ac6) +Signed-off-by: Ankur Tyagi +--- + ui/cmdpipe.c | 13 ++++++++++--- + 1 file changed, 10 insertions(+), 3 deletions(-) + +diff --git a/ui/cmdpipe.c b/ui/cmdpipe.c +index d22b236..1a66293 100644 +--- a/ui/cmdpipe.c ++++ b/ui/cmdpipe.c +@@ -220,10 +220,17 @@ void execute_packet_child( + the path to the mtr-packet executable. This is necessary + for debugging changes for mtr-packet. + */ +- char *mtr_packet_path = getenv("MTR_PACKET"); +- if (mtr_packet_path == NULL) { ++ char * mtr_packet_path = NULL; ++ ++ // In the rare case that mtr-packet is not setuid-root, ++ // and a select group of users has sudo privileges to run ++ // mtr and not much else, THEN create /etc/mtr.is.run.under.sudo ++ // to prevent a privilege escalation when one of those accounts ++ // is compromised. CVE-2025-49809 ++ if (access ("/etc/mtr.is.run.under.sudo", F_OK) != 0) ++ mtr_packet_path = getenv("MTR_PACKET"); ++ if (mtr_packet_path == NULL) + mtr_packet_path = "mtr-packet"; +- } + + /* + First, try to execute mtr-packet from PATH diff --git a/meta-networking/recipes-support/mtr/mtr_0.95.bb b/meta-networking/recipes-support/mtr/mtr_0.95.bb index 92f9c4bfc0..c1d6ff5605 100644 --- a/meta-networking/recipes-support/mtr/mtr_0.95.bb +++ b/meta-networking/recipes-support/mtr/mtr_0.95.bb @@ -9,7 +9,9 @@ LIC_FILES_CHKSUM = "file://COPYING;md5=b234ee4d69f5fce4486a80fdaf4a4263 \ file://ui/mtr.c;beginline=5;endline=16;md5=00a894a39d53726a27386534d1c4e468" SRCREV = "852e5617fbf331cf292723702161f0ac9afe257c" -SRC_URI = "git://github.com/traviscross/mtr;branch=master;protocol=https" +SRC_URI = "git://github.com/traviscross/mtr;branch=master;protocol=https \ + file://CVE-2025-49809.patch \ +" S = "${WORKDIR}/git" From patchwork Fri Jan 9 09:28:37 2026 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Ankur Tyagi X-Patchwork-Id: 78320 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id B36D9D167E2 for ; Fri, 9 Jan 2026 09:29:16 +0000 (UTC) Received: from mail-pl1-f179.google.com (mail-pl1-f179.google.com [209.85.214.179]) by mx.groups.io with SMTP id smtpd.msgproc02-g2.6761.1767950948707800738 for ; Fri, 09 Jan 2026 01:29:08 -0800 Authentication-Results: mx.groups.io; dkim=pass header.i=@gmail.com header.s=20230601 header.b=N98xE5zH; spf=pass (domain: gmail.com, ip: 209.85.214.179, mailfrom: ankur.tyagi85@gmail.com) Received: by mail-pl1-f179.google.com with SMTP id d9443c01a7336-2a0d0788adaso28613625ad.3 for ; Fri, 09 Jan 2026 01:29:08 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1767950948; x=1768555748; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=U2pZHRAiVfSh6E6LajNFH2m98oCuhj9G2bi0Xr/CEbo=; b=N98xE5zHCpyCxJuI8MVwJdQx57wUiuH7zgqbUNxrqXZVmTrSG0rQ1hsPUVTBAkjHMz 96ipJ6DDqKBFGWDMR93sDGaz0Vbk+RcjgeAczTkca/BIMlZuN2Svt4DkMYs6/rqQ2uxn f/ocmzuWZIpnv0pVGlTy1/kRr5vKUpT4RATzOo/vDUT4EzDFaweW+tlOmxRdX/A5pLkv yXxaq+WYlRqetVff5olKc5unRG1TB9EBNV2HeeFrwRh54lCz4p/AcFu0AjgMg/oaj+fX 6nQYIedZ+6ZCris76w6uYfte6C9/4Nz7eBwiaq4+GNi+G7Pua+zmB/vJf7YL5ujfNtSl Do2w== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1767950948; x=1768555748; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-gg:x-gm-message-state:from :to:cc:subject:date:message-id:reply-to; bh=U2pZHRAiVfSh6E6LajNFH2m98oCuhj9G2bi0Xr/CEbo=; b=bO/gvOmttV0Wyl1pedUAN50C4N8cVviLVMKtfIAN62Prt5bBHe3UTKzFXDTQudzbN5 TE5IrzlBDzuwvSrbsEGRN2xWhi/mA8lliicYUVmxV0J05VyC+KH9x3ZXCVM6QMaHsgvl FfD7Y1P5zwrgbuolRuHCC2SRxovO8S5N9Uh9X6RpzfhZLMgfFKKpLiYG3uDtH4FTFaUe xyuOVkRbJ+ihaPnXXKP6qVkzNq4CHJz//MnM9uTryMNIMKV8rlvI/qgbCmg+irHwd9UU Th/RlNIEDe5BxVYEYpYInmr0AmYcWhRWyb7njiyLSaAJcFLBepvRo8Cg0IvK2gbqbbse pBPQ== X-Gm-Message-State: AOJu0YwSRtoHRZ5IqBr7WNmFPcMnum/38Uso17m2cdGWg7pI8ujEc7VP 0+dYAdlE65FoFAaSVrmqwvc/gWbpJtbuAWrnjfvYyFekKEHjh8nAbFXmFnL82A== X-Gm-Gg: AY/fxX5t8Q/OYe6eYWe4vKLuZ328Q4tNgg3cJ8Y5JrxH4x2DCQ3Xp0S1eoVhK1jBXr7 M9rp2CX+9bUcEsvevP55FvEjUbWohvZC1eA8kSFRePMsqsdk2x0Ttbn9T22wfkwXqD2WNLRIuy+ 8GRprPnODUDF3/hhiBtCFrrdo2+XNnzZlUsflqLJOHmiRWKyCCpKYBO9QwOBIJRn+Z0QuPAOHge tt0/vpEdP3gGewfSC1OJcc3KKtiqOhIseLkq56xHfZK8OVjBeqjoPazUg6+Klqj1aoSsyBS3tlh dl2RbCmboSNQS/Ne2w/6FAu2ZAZs+Jxp4ZzMKzgWaVsr/JXEx45pf2nmf0sL7szVDesQ2ktKLYL rcrd4MUj7z6NIIg5snyDofdbT2EXz2yOhZULnZCRA99d1EnrmLgr+ycc3N0iOIm8Py4fn9o89xs xJb6MWSM9U8KEWgwBZmNFDfQxIr7AZgcvamA== X-Google-Smtp-Source: AGHT+IHqJ+Zo++u383fjjZwDBB4NLNKoM7Il6iFqkh9BvfJH3SddoqySMUmsk13B2n05u0xoGW1reA== X-Received: by 2002:a17:902:f682:b0:2a0:a33f:3049 with SMTP id d9443c01a7336-2a3ee40e4a6mr81965295ad.4.1767950947834; Fri, 09 Jan 2026 01:29:07 -0800 (PST) Received: from NVAPF55DW0D-IPD.. ([167.103.127.10]) by smtp.gmail.com with ESMTPSA id d9443c01a7336-2a3e3cc88e3sm99529295ad.75.2026.01.09.01.29.05 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 09 Jan 2026 01:29:07 -0800 (PST) From: ankur.tyagi85@gmail.com To: openembedded-devel@lists.openembedded.org Cc: Ankur Tyagi Subject: [oe][meta-networking][scarthgap][PATCH 07/12] open62541: patch CVE-2024-53429 Date: Fri, 9 Jan 2026 22:28:37 +1300 Message-ID: <20260109092843.1924568-7-ankur.tyagi85@gmail.com> X-Mailer: git-send-email 2.43.0 In-Reply-To: <20260109092843.1924568-1-ankur.tyagi85@gmail.com> References: <20260109092843.1924568-1-ankur.tyagi85@gmail.com> MIME-Version: 1.0 List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Fri, 09 Jan 2026 09:29:16 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-devel/message/123285 From: Ankur Tyagi Details: https://nvd.nist.gov/vuln/detail/CVE-2024-53429 Backport the patch mentioned in the comment[1] which fixed this CVE. [1] https://github.com/open62541/open62541/issues/6825#issuecomment-2460650733 Signed-off-by: Ankur Tyagi --- .../opcua/open62541/CVE-2024-53429.patch | 44 +++++++++++++++++++ .../opcua/open62541_1.3.8.bb | 1 + 2 files changed, 45 insertions(+) create mode 100644 meta-networking/recipes-protocols/opcua/open62541/CVE-2024-53429.patch diff --git a/meta-networking/recipes-protocols/opcua/open62541/CVE-2024-53429.patch b/meta-networking/recipes-protocols/opcua/open62541/CVE-2024-53429.patch new file mode 100644 index 0000000000..7afd7eb752 --- /dev/null +++ b/meta-networking/recipes-protocols/opcua/open62541/CVE-2024-53429.patch @@ -0,0 +1,44 @@ +From c69c42bb55f66e1721367dc9c98d0b4a63b14c25 Mon Sep 17 00:00:00 2001 +From: Julius Pfrommer +Date: Tue, 22 Oct 2024 21:47:15 +0200 +Subject: [PATCH] refactor(core): Validate Variant ArrayLength against its + ArrayDimensions during binary decode + +This lead to the fuzzer complaing since we hade the check for _encode +but not for _decode. This is not a direct memory issue per se. But the +consistency check allows early discovery of problematic values and +can potentially remove bugs where the user relies on the array +dimensions and the array length to match. + +CVE: CVE-2024-53429 +Upstream-Status: Backport [https://github.com/open62541/open62541/commit/b9473527623125b5ca264dae4551f8cc414b3bc3] +(cherry picked from commit b9473527623125b5ca264dae4551f8cc414b3bc3) +Signed-off-by: Ankur Tyagi +--- + src/ua_types_encoding_binary.c | 11 ++++++++++- + 1 file changed, 10 insertions(+), 1 deletion(-) + +diff --git a/src/ua_types_encoding_binary.c b/src/ua_types_encoding_binary.c +index 7b3a4f6b8..0272ba399 100644 +--- a/src/ua_types_encoding_binary.c ++++ b/src/ua_types_encoding_binary.c +@@ -1093,9 +1093,18 @@ DECODE_BINARY(Variant) { + } + + /* Decode array dimensions */ +- if(isArray && (encodingByte & (u8)UA_VARIANT_ENCODINGMASKTYPE_DIMENSIONS) > 0) ++ if(isArray && (encodingByte & (u8)UA_VARIANT_ENCODINGMASKTYPE_DIMENSIONS) > 0) { + ret |= Array_decodeBinary((void**)&dst->arrayDimensions, &dst->arrayDimensionsSize, + &UA_TYPES[UA_TYPES_INT32], ctx); ++ /* Validate array length against array dimensions */ ++ size_t totalSize = 1; ++ for(size_t i = 0; i < dst->arrayDimensionsSize; ++i) { ++ if(dst->arrayDimensions[i] == 0) ++ return UA_STATUSCODE_BADDECODINGERROR; ++ totalSize *= dst->arrayDimensions[i]; ++ } ++ UA_CHECK(totalSize == dst->arrayLength, ret = UA_STATUSCODE_BADDECODINGERROR); ++ } + + ctx->depth--; + return ret; diff --git a/meta-networking/recipes-protocols/opcua/open62541_1.3.8.bb b/meta-networking/recipes-protocols/opcua/open62541_1.3.8.bb index 19a50aee3a..ed859c9c92 100644 --- a/meta-networking/recipes-protocols/opcua/open62541_1.3.8.bb +++ b/meta-networking/recipes-protocols/opcua/open62541_1.3.8.bb @@ -19,6 +19,7 @@ SRC_URI = " \ git://github.com/OPCFoundation/UA-Nodeset;name=ua-nodeset;protocol=https;branch=v1.04;destsuffix=git/deps/ua-nodeset \ git://github.com/LiamBindle/MQTT-C.git;name=mqtt-c;protocol=https;branch=master;destsuffix=git/deps/mqtt-c \ file://0001-fix-build-do-not-install-git-files.patch \ + file://CVE-2024-53429.patch \ " S = "${WORKDIR}/git" From patchwork Fri Jan 9 09:28:38 2026 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Ankur Tyagi X-Patchwork-Id: 78321 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id B9444D167E5 for ; Fri, 9 Jan 2026 09:29:16 +0000 (UTC) Received: from mail-pl1-f194.google.com (mail-pl1-f194.google.com [209.85.214.194]) by mx.groups.io with SMTP id smtpd.msgproc02-g2.6762.1767950951044784099 for ; Fri, 09 Jan 2026 01:29:11 -0800 Authentication-Results: mx.groups.io; dkim=pass header.i=@gmail.com header.s=20230601 header.b=DAIgToZJ; spf=pass (domain: gmail.com, ip: 209.85.214.194, mailfrom: ankur.tyagi85@gmail.com) Received: by mail-pl1-f194.google.com with SMTP id d9443c01a7336-2a0834769f0so31114385ad.2 for ; Fri, 09 Jan 2026 01:29:10 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1767950950; x=1768555750; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=0GbBZA9EI+yWSWkv9RObQRvkcHQ07Oi31x8kWxXwRMs=; b=DAIgToZJa8Du2IO8UtKllCVcvfXtEuYCGhPv1Q007Lvv5GzXdT18+btj+MWKl5Fir0 0Mvnx8FFfB0Tlve0HcG4Ja/8mgRWVHV2NGyaR1D1K/e8OVNQ8JU6gBEo6dLy0Ufr/Ryy 7Z3kBX7jKvCp7CVfMRtSUvd8QSdRxKHs1fomqfreOUg07rsez+/ftx3fDn0NRJh0Cnao XI3PU5Kidcjui1FHLC+wCNe2NlioARck5dMJ+eEKc1X9bk2KzksCwVqZk03mimFmdNRQ 8IAK3fT4/tC2NBPXyzzoq+tGCM94y/J/4rc/loePflPCbLqCbc88Oyg9WrIq8VtGU/oz BIUQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1767950950; x=1768555750; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-gg:x-gm-message-state:from :to:cc:subject:date:message-id:reply-to; bh=0GbBZA9EI+yWSWkv9RObQRvkcHQ07Oi31x8kWxXwRMs=; b=KW8iPm9owIij+YORe2+BfGhtq4pRy9oGaYe3RmvmK5Y6HGPHohXyXDyq6urRKmOeUh jANNVh/vRG0UO+kYjnh2OxzawoqTQiaGtzRiN9hmhW0GG2itk/gcMJcDj69KTnHX2XED fYzhMjtrrICZManj1VzwR9cZoVfBp3Bsir45IP23Es+0nzDucucx6GSzL+0R36ET5dxn zsVBhab+wwIQMKo9ZENfhO2RyQKlncjA/X39+IBpc92OC/XNHKNj1zVynvO8uNDSFaiW w/1Mc5dhMs0p7zeYYjdsGTnnmzXWLYuXZnQwa6drSAz8T6n7m6PuEx9XTK1xILsikyuu iWuw== X-Gm-Message-State: AOJu0YxChli3QC1aJU18sIxdp2C96jw1zjHoGcDnBc6I2x9a0y5tAPiE uGQ7ypsYS8hsZIlBoErbjFM6yjO9hdN+4ppDSk7wCMtvRJunxH7QRi0LKVTZ6lXO X-Gm-Gg: AY/fxX7woc9T0p/YfuRibNM01l1YfCpxWSJEvD9df3FpHi9nWmAHy57dknjiseHLR5n dJue9Cfyvld24kXIVGq/0S6c/AkSKI+IOBqytdvx7eJiugqVdm5kbtyt2+esKD4bPFcLcnBXnPF 7NvGQKUDtantpv5fa0u0S5ktpe3HGceziMiG2KZVuYBK0bw8xwss82ZUu+UCgojZ84WSMABn3Fd FoAmHEzYPcLAIRDMJbENPQGacZIG6LCbhdmdkq17sUrmMd1RvxuR/VfR1/VooEeEujOpR2SIQBD 0/1+A7VKj4EIxJ4J07vHSR688zoSlwVwF5wEgp3P3CyagQij5mBzrNWIlIQPpk107AFmjNLQ13M by3AtR4EJG05WPMr89QjRAVB8acpS6AXBmjfy6PWhpp9ze9KnJSDehtjhc61/MOBYOdcMnRMvIY xhrW+stiTS/nWIRNAYtiSIYUs= X-Google-Smtp-Source: AGHT+IGM6BsaKplJwVAwHCDY95HrOMrTJVgi4cwWKqCe87HTsVJ+7iFhpD7QGKrYed/jpyMGFDQVjw== X-Received: by 2002:a17:903:2a8e:b0:295:5668:2f27 with SMTP id d9443c01a7336-2a3ee41cf71mr79350695ad.9.1767950950108; Fri, 09 Jan 2026 01:29:10 -0800 (PST) Received: from NVAPF55DW0D-IPD.. ([167.103.127.10]) by smtp.gmail.com with ESMTPSA id d9443c01a7336-2a3e3cc88e3sm99529295ad.75.2026.01.09.01.29.08 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 09 Jan 2026 01:29:09 -0800 (PST) From: ankur.tyagi85@gmail.com To: openembedded-devel@lists.openembedded.org Cc: Ankur Tyagi Subject: [oe][meta-networking][scarthgap][PATCH 08/12] proftpd: patch CVE-2024-48651 Date: Fri, 9 Jan 2026 22:28:38 +1300 Message-ID: <20260109092843.1924568-8-ankur.tyagi85@gmail.com> X-Mailer: git-send-email 2.43.0 In-Reply-To: <20260109092843.1924568-1-ankur.tyagi85@gmail.com> References: <20260109092843.1924568-1-ankur.tyagi85@gmail.com> MIME-Version: 1.0 List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Fri, 09 Jan 2026 09:29:16 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-devel/message/123286 From: Ankur Tyagi Details: https://nvd.nist.gov/vuln/detail/CVE-2024-48651 Signed-off-by: Ankur Tyagi --- .../proftpd/files/CVE-2024-48651.patch | 320 ++++++++++++++++++ .../recipes-daemons/proftpd/proftpd_1.3.7f.bb | 1 + 2 files changed, 321 insertions(+) create mode 100644 meta-networking/recipes-daemons/proftpd/files/CVE-2024-48651.patch diff --git a/meta-networking/recipes-daemons/proftpd/files/CVE-2024-48651.patch b/meta-networking/recipes-daemons/proftpd/files/CVE-2024-48651.patch new file mode 100644 index 0000000000..e89a767334 --- /dev/null +++ b/meta-networking/recipes-daemons/proftpd/files/CVE-2024-48651.patch @@ -0,0 +1,320 @@ +From fcb363a1054f2f650f80d307b616d59fb711bfc1 Mon Sep 17 00:00:00 2001 +From: TJ Saunders +Date: Wed, 13 Nov 2024 06:33:35 -0800 +Subject: [PATCH] Issue #1830: When no supplemental groups are provided by the + underlying authentication providers, fall back to using the primary + group/GID. (#1835) + +This prevents surprise due to inheritance of the parent processes' supplemental group membership, which might inadvertently provided undesired access. + +CVE: CVE-2024-48651 +Upstream-Status: Backport [https://github.com/proftpd/proftpd/commit/cec01cc0a2523453e5da5a486bc6d977c3768db1] +Signed-off-by: Ankur Tyagi +--- + contrib/mod_sftp/auth.c | 14 +- + modules/mod_auth.c | 19 +- + src/auth.c | 14 +- + .../ProFTPD/Tests/Modules/mod_sql_sqlite.pm | 174 ++++++++++++++++++ + 4 files changed, 209 insertions(+), 12 deletions(-) + +diff --git a/contrib/mod_sftp/auth.c b/contrib/mod_sftp/auth.c +index ede821daa..2854a03cd 100644 +--- a/contrib/mod_sftp/auth.c ++++ b/contrib/mod_sftp/auth.c +@@ -382,8 +382,20 @@ static int setup_env(pool *p, const char *user) { + session.groups == NULL) { + res = pr_auth_getgroups(p, pw->pw_name, &session.gids, &session.groups); + if (res < 1) { ++ /* If no supplemental groups are provided, default to using the process ++ * primary GID as the supplemental group. This prevents access ++ * regressions as seen in Issue #1830. ++ */ + (void) pr_log_writefile(sftp_logfd, MOD_SFTP_VERSION, +- "no supplemental groups found for user '%s'", pw->pw_name); ++ "no supplemental groups found for user '%s', " ++ "using primary group %s (GID %lu)", pw->pw_name, session.group, ++ (unsigned long) session.login_gid); ++ ++ session.gids = make_array(p, 2, sizeof(gid_t)); ++ session.groups = make_array(p, 2, sizeof(char *)); ++ ++ *((gid_t *) push_array(session.gids)) = session.login_gid; ++ *((char **) push_array(session.groups)) = pstrdup(p, session.group); + } + } + +diff --git a/modules/mod_auth.c b/modules/mod_auth.c +index e47ed148d..a1b71c0f7 100644 +--- a/modules/mod_auth.c ++++ b/modules/mod_auth.c +@@ -1111,8 +1111,8 @@ static int setup_env(pool *p, cmd_rec *cmd, const char *user, char *pass) { + session.groups = NULL; + } + +- if (!session.gids && +- !session.groups) { ++ if (session.gids == NULL && ++ session.groups == NULL) { + /* Get the supplemental groups. Note that we only look up the + * supplemental group credentials if we have not cached the group + * credentials before, in session.gids and session.groups. +@@ -1122,8 +1122,19 @@ static int setup_env(pool *p, cmd_rec *cmd, const char *user, char *pass) { + */ + res = pr_auth_getgroups(p, pw->pw_name, &session.gids, &session.groups); + if (res < 1) { +- pr_log_debug(DEBUG5, "no supplemental groups found for user '%s'", +- pw->pw_name); ++ /* If no supplemental groups are provided, default to using the process ++ * primary GID as the supplemental group. This prevents access ++ * regressions as seen in Issue #1830. ++ */ ++ pr_log_debug(DEBUG5, "no supplemental groups found for user '%s', " ++ "using primary group %s (GID %lu)", pw->pw_name, session.group, ++ (unsigned long) session.login_gid); ++ ++ session.gids = make_array(p, 2, sizeof(gid_t)); ++ session.groups = make_array(p, 2, sizeof(char *)); ++ ++ *((gid_t *) push_array(session.gids)) = session.login_gid; ++ *((char **) push_array(session.groups)) = pstrdup(p, session.group); + } + } + +diff --git a/src/auth.c b/src/auth.c +index 494a479c0..a6fe9f1c2 100644 +--- a/src/auth.c ++++ b/src/auth.c +@@ -1512,12 +1512,12 @@ int pr_auth_getgroups(pool *p, const char *name, array_header **group_ids, + } + + /* Allocate memory for the array_headers of GIDs and group names. */ +- if (group_ids) { +- *group_ids = make_array(permanent_pool, 2, sizeof(gid_t)); ++ if (group_ids != NULL) { ++ *group_ids = make_array(p, 2, sizeof(gid_t)); + } + +- if (group_names) { +- *group_names = make_array(permanent_pool, 2, sizeof(char *)); ++ if (group_names != NULL) { ++ *group_names = make_array(p, 2, sizeof(char *)); + } + + cmd = make_cmd(p, 3, name, group_ids ? *group_ids : NULL, +@@ -1536,7 +1536,7 @@ int pr_auth_getgroups(pool *p, const char *name, array_header **group_ids, + * for the benefit of auth_getgroup() implementors. + */ + +- if (group_ids) { ++ if (group_ids != NULL) { + register unsigned int i; + char *strgids = ""; + gid_t *gids = (*group_ids)->elts; +@@ -1552,7 +1552,7 @@ int pr_auth_getgroups(pool *p, const char *name, array_header **group_ids, + *strgids ? strgids : "(None; corrupted group file?)"); + } + +- if (group_names) { ++ if (group_names != NULL) { + register unsigned int i; + char *strgroups = ""; + char **groups = (*group_names)->elts; +@@ -1568,7 +1568,7 @@ int pr_auth_getgroups(pool *p, const char *name, array_header **group_ids, + } + } + +- if (cmd->tmp_pool) { ++ if (cmd->tmp_pool != NULL) { + destroy_pool(cmd->tmp_pool); + cmd->tmp_pool = NULL; + } +diff --git a/tests/t/lib/ProFTPD/Tests/Modules/mod_sql_sqlite.pm b/tests/t/lib/ProFTPD/Tests/Modules/mod_sql_sqlite.pm +index 4abb6eb59..4693dbf8f 100644 +--- a/tests/t/lib/ProFTPD/Tests/Modules/mod_sql_sqlite.pm ++++ b/tests/t/lib/ProFTPD/Tests/Modules/mod_sql_sqlite.pm +@@ -467,6 +467,11 @@ my $TESTS = { + order => ++$order, + test_class => [qw(forking bug mod_tls)], + }, ++ ++ sql_user_info_no_suppl_groups_issue1830 => { ++ order => ++$order, ++ test_class => [qw(forking bug rootprivs)], ++ }, + }; + + sub new { +@@ -15732,4 +15737,173 @@ EOC + test_cleanup($setup->{log_file}, $ex); + } + ++sub sql_user_info_no_suppl_groups_issue1830 { ++ my $self = shift; ++ my $tmpdir = $self->{tmpdir}; ++ my $setup = test_setup($tmpdir, 'sqlite'); ++ ++ my $db_file = File::Spec->rel2abs("$tmpdir/proftpd.db"); ++ ++ # Build up sqlite3 command to create users, groups tables and populate them ++ my $db_script = File::Spec->rel2abs("$tmpdir/proftpd.sql"); ++ ++ if (open(my $fh, "> $db_script")) { ++ print $fh <{user}', '$setup->{passwd}', $setup->{uid}, $setup->{gid}, '$setup->{home_dir}', '/bin/bash'); ++ ++CREATE TABLE groups ( ++ groupname TEXT, ++ gid INTEGER, ++ members TEXT ++); ++INSERT INTO groups (groupname, gid, members) VALUES ('$setup->{group}', $setup->{gid}, '$setup->{user}'); ++EOS ++ ++ unless (close($fh)) { ++ die("Can't write $db_script: $!"); ++ } ++ ++ } else { ++ die("Can't open $db_script: $!"); ++ } ++ ++ my $cmd = "sqlite3 $db_file < $db_script"; ++ build_db($cmd, $db_script); ++ ++ # Make sure that, if we're running as root, the database file has ++ # the permissions/privs set for use by proftpd ++ if ($< == 0) { ++ unless (chmod(0666, $db_file)) { ++ die("Can't set perms on $db_file to 0666: $!"); ++ } ++ } ++ ++ my $config = { ++ PidFile => $setup->{pid_file}, ++ ScoreboardFile => $setup->{scoreboard_file}, ++ SystemLog => $setup->{log_file}, ++ TraceLog => $setup->{log_file}, ++ Trace => 'auth:20 sql:20', ++ ++ # Required for logging the expected message ++ DebugLevel => 5, ++ ++ IfModules => { ++ 'mod_delay.c' => { ++ DelayEngine => 'off', ++ }, ++ ++ 'mod_sql.c' => { ++ AuthOrder => 'mod_sql.c', ++ ++ SQLAuthenticate => 'users', ++ SQLAuthTypes => 'plaintext', ++ SQLBackend => 'sqlite3', ++ SQLConnectInfo => $db_file, ++ SQLLogFile => $setup->{log_file}, ++ ++ # Set these, so that our lower UID/GID will be used ++ SQLMinUserUID => 100, ++ SQLMinUserGID => 100, ++ }, ++ }, ++ }; ++ ++ my ($port, $config_user, $config_group) = config_write($setup->{config_file}, ++ $config); ++ ++ # Open pipes, for use between the parent and child processes. Specifically, ++ # the child will indicate when it's done with its test by writing a message ++ # to the parent. ++ my ($rfh, $wfh); ++ unless (pipe($rfh, $wfh)) { ++ die("Can't open pipe: $!"); ++ } ++ ++ my $ex; ++ ++ # Fork child ++ $self->handle_sigchld(); ++ defined(my $pid = fork()) or die("Can't fork: $!"); ++ if ($pid) { ++ eval { ++ sleep(2); ++ ++ my $client = ProFTPD::TestSuite::FTP->new('127.0.0.1', $port); ++ $client->login($setup->{user}, $setup->{passwd}); ++ ++ my $resp_msgs = $client->response_msgs(); ++ my $nmsgs = scalar(@$resp_msgs); ++ ++ my $expected = 1; ++ $self->assert($expected == $nmsgs, ++ test_msg("Expected $expected, got $nmsgs")); ++ ++ $expected = "User $setup->{user} logged in"; ++ $self->assert($expected eq $resp_msgs->[0], ++ test_msg("Expected response '$expected', got '$resp_msgs->[0]'")); ++ ++ $client->quit(); ++ }; ++ if ($@) { ++ $ex = $@; ++ } ++ ++ $wfh->print("done\n"); ++ $wfh->flush(); ++ ++ } else { ++ eval { server_wait($setup->{config_file}, $rfh) }; ++ if ($@) { ++ warn($@); ++ exit 1; ++ } ++ ++ exit 0; ++ } ++ ++ # Stop server ++ server_stop($setup->{pid_file}); ++ $self->assert_child_ok($pid); ++ ++ eval { ++ if (open(my $fh, "< $setup->{log_file}")) { ++ my $ok = 0; ++ ++ while (my $line = <$fh>) { ++ chomp($line); ++ ++ if ($ENV{TEST_VERBOSE}) { ++ print STDERR "# $line\n"; ++ } ++ ++ if ($line =~ /no supplemental groups found for user '$setup->{user}', using primary group/) { ++ $ok = 1; ++ last; ++ } ++ } ++ ++ close($fh); ++ ++ $self->assert($ok, test_msg("Did not see expected log message")); ++ ++ } else { ++ die("Can't read $setup->{log_file}: $!"); ++ } ++ }; ++ if ($@) { ++ $ex = $@ unless $ex; ++ } ++ ++ test_cleanup($setup->{log_file}, $ex); ++} ++ + 1; diff --git a/meta-networking/recipes-daemons/proftpd/proftpd_1.3.7f.bb b/meta-networking/recipes-daemons/proftpd/proftpd_1.3.7f.bb index 9bfe9aed03..2c93393e68 100644 --- a/meta-networking/recipes-daemons/proftpd/proftpd_1.3.7f.bb +++ b/meta-networking/recipes-daemons/proftpd/proftpd_1.3.7f.bb @@ -18,6 +18,7 @@ SRC_URI = "git://github.com/proftpd/proftpd.git;branch=${BRANCH};protocol=https file://CVE-2023-51713.patch \ file://CVE-2024-57392.patch \ file://CVE-2023-48795.patch \ + file://CVE-2024-48651.patch \ " S = "${WORKDIR}/git" From patchwork Fri Jan 9 09:28:39 2026 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Ankur Tyagi X-Patchwork-Id: 78323 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id B9577D167E6 for ; Fri, 9 Jan 2026 09:29:16 +0000 (UTC) Received: from mail-pl1-f174.google.com (mail-pl1-f174.google.com [209.85.214.174]) by mx.groups.io with SMTP id smtpd.msgproc01-g2.6700.1767950953437624266 for ; Fri, 09 Jan 2026 01:29:13 -0800 Authentication-Results: mx.groups.io; dkim=pass header.i=@gmail.com header.s=20230601 header.b=TZjnglpA; spf=pass (domain: gmail.com, ip: 209.85.214.174, mailfrom: ankur.tyagi85@gmail.com) Received: by mail-pl1-f174.google.com with SMTP id d9443c01a7336-2a110548cdeso30837705ad.0 for ; Fri, 09 Jan 2026 01:29:13 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1767950952; x=1768555752; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=De8mEBknrViMR15fiRNFcb3vcE4qmlm5OwVm3+BWGkw=; b=TZjnglpAns2MC39izhTAkEnuP5bVC9XXNzEoz2MOkDis5wAKKYiKfkUKKMac6z3wd+ qZYEkFv0K/YfosY6+hqpJUWSDcVEM/dG9OPe8IO7QW6j7d9TNjr4ts2C1Ha/uQwUfMO8 IUhqzIu21sVWygX/7/ZMEnsIPyQ2fUlHLNEjJRWgHbtAPJ6lxZA3zoI3lASDGrAylfBy aU2/L33KEu8/4wK1IFZ7eU7ZWjZ+hLmhXCwP6Yjd7qJ3Sf37zINsxKJog1xrHsgZCasv I7OTSW0a0cVIPbs0D5xbKOJ9jTadUiqZ6Z0CmAoS3UhWBT2/NSpW0Do2Lx9kfqAPKAfW fk1g== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1767950952; x=1768555752; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-gg:x-gm-message-state:from :to:cc:subject:date:message-id:reply-to; bh=De8mEBknrViMR15fiRNFcb3vcE4qmlm5OwVm3+BWGkw=; b=SsdxTHHyGziritwza+soqYx7BcE4+BpukyXjXSftdDBGAP9kWuVkrjzk9D1zQ3+kif YseBzYKM+W4eitvXfVYtHf2FauhTesoECPReEuHvNXgQevWu2RsMR+j6Xkawvqd5twC5 j5GsliPk5wMHyckhAnyC8Ng2AWSak3iVCfzKqQj10ObUwpYr+wROjZPm+R4NKT1K9PT7 AW+n23YV+FYPzDmuGRXVQW/6NTB9OKhBx6E7wNBSNGkJ5FziqMMW1Rpbieb6lQHHhZi6 6egwp3RqELME76pxSr2oMbqxlkN7Uw6PN/hzMQXF6XiTB7eR1ukUU0d7eSzoB2s3eiOP Yn1Q== X-Gm-Message-State: AOJu0YwczihI7Cu/7+J5oMBSH8a0oK5IZ7BEhTV/5pDI2lODlava45zl pNF+bVlDDwg3RB+Avmgu4RGOBGOXo6J1YCiOvGRS0nUmQfsZl/AZNQCx/arEdA== X-Gm-Gg: AY/fxX7YK5pMl2qHyitoDENoz9glSeIoi8SnS3p9HB6psml2L+kLn4L8wTottLEV0Px Am35FSspapUjfIcLTW1HdmLRdlyUKLKcj9pJ2LmFRfuhf6MfK4J93uE1KjFIcm2eG2luuQvJuIc aFLxHh9gWgeDp1KRP/ImasqD/yaUD2gaY3hiS5a8NmYGSTlhYg+9DAeq3gqt5YWElERJS0hfYhD /gqgruzB6h1U+OmfcXHOoFAhKvf2U5T66XOgQXBQkzNkUKFrnN4qCwzDAT8DtglNaIQUMfuAjg+ G/mFXP6m0Sm5+QYovXwDA1S5UAedfRu59UnTyLfzqVVw6siun4uJNSwsunxuX5lEieSNpAgUvIl lhmP0ePHTaHkTp55Y1hSVs0w4ZRSdSde8CHXcJgFBHqgP8jQALj1BOsxJIJy53BAD72FaSgwyqy 16rsRmqOaXXznFKTnZRetphIs= X-Google-Smtp-Source: AGHT+IFNj10V72DpZMc0B40eF3n1OljLqJsoEhwWZJr/67TGk8LbgKfNc+7h//OIc5ayju7L0rlZgw== X-Received: by 2002:a17:903:17c6:b0:297:cf96:45bd with SMTP id d9443c01a7336-2a3ee45d830mr85092555ad.19.1767950952493; Fri, 09 Jan 2026 01:29:12 -0800 (PST) Received: from NVAPF55DW0D-IPD.. ([167.103.127.10]) by smtp.gmail.com with ESMTPSA id d9443c01a7336-2a3e3cc88e3sm99529295ad.75.2026.01.09.01.29.10 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 09 Jan 2026 01:29:12 -0800 (PST) From: ankur.tyagi85@gmail.com To: openembedded-devel@lists.openembedded.org Cc: Ankur Tyagi Subject: [oe][meta-networking][scarthgap][PATCH 09/12] znc: patch CVE-2024-39844 Date: Fri, 9 Jan 2026 22:28:39 +1300 Message-ID: <20260109092843.1924568-9-ankur.tyagi85@gmail.com> X-Mailer: git-send-email 2.43.0 In-Reply-To: <20260109092843.1924568-1-ankur.tyagi85@gmail.com> References: <20260109092843.1924568-1-ankur.tyagi85@gmail.com> MIME-Version: 1.0 List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Fri, 09 Jan 2026 09:29:16 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-devel/message/123287 From: Ankur Tyagi Details: https://nvd.nist.gov/vuln/detail/CVE-2024-39844 Backport commit[1] from https://github.com/znc/znc/releases/tag/znc-1.9.1 [1] https://github.com/znc/znc/commit/8cbf8d628174ddf23da680f3f117dc54da0eb06e Signed-off-by: Ankur Tyagi --- .../recipes-irc/znc/znc/CVE-2024-39844.patch | 62 +++++++++++++++++++ meta-networking/recipes-irc/znc/znc_1.8.2.bb | 1 + 2 files changed, 63 insertions(+) create mode 100644 meta-networking/recipes-irc/znc/znc/CVE-2024-39844.patch diff --git a/meta-networking/recipes-irc/znc/znc/CVE-2024-39844.patch b/meta-networking/recipes-irc/znc/znc/CVE-2024-39844.patch new file mode 100644 index 0000000000..cf9486791c --- /dev/null +++ b/meta-networking/recipes-irc/znc/znc/CVE-2024-39844.patch @@ -0,0 +1,62 @@ +From d3867e667ec813a448a0845087a8d87bad58402d Mon Sep 17 00:00:00 2001 +From: Alexey Sokolov +Date: Mon, 1 Jul 2024 09:59:16 +0100 +Subject: [PATCH] Fix RCE vulnerability in modtcl + +Remote attacker could execute arbitrary code embedded into the kick +reason while kicking someone on a channel. + +To mitigate this for existing installations, simply unload the modtcl +module for every user, if it's loaded. +Note that only users with admin rights can load modtcl at all. + +While at it, also escape the channel name. + +Discovered by Johannes Kuhn (DasBrain) + +Patch by https://github.com/glguy + +CVE-2024-39844 + +CVE: CVE-2024-39844 +Upstream-Status: Backport [https://github.com/znc/znc/commit/8cbf8d628174ddf23da680f3f117dc54da0eb06e] +(cherry picked from commit 8cbf8d628174ddf23da680f3f117dc54da0eb06e) +Signed-off-by: Ankur Tyagi +--- + modules/modtcl.cpp | 9 ++++++--- + 1 file changed, 6 insertions(+), 3 deletions(-) + +diff --git a/modules/modtcl.cpp b/modules/modtcl.cpp +index c64bc43f..58e68f51 100644 +--- a/modules/modtcl.cpp ++++ b/modules/modtcl.cpp +@@ -248,8 +248,9 @@ class CModTcl : public CModule { + // chan specific + unsigned int nLength = vChans.size(); + for (unsigned int n = 0; n < nLength; n++) { ++ CString sChannel = TclEscape(CString(vChans[n]->GetName())); + sCommand = "Binds::ProcessNick {" + sOldNick + "} {" + sHost + +- "} - {" + vChans[n]->GetName() + "} {" + sNewNickTmp + ++ "} - {" + sChannel + "} {" + sNewNickTmp + + "}"; + int i = Tcl_Eval(interp, sCommand.c_str()); + if (i != TCL_OK) { +@@ -260,14 +261,16 @@ class CModTcl : public CModule { + + void OnKick(const CNick& OpNick, const CString& sKickedNick, CChan& Channel, + const CString& sMessage) override { ++ CString sMes = TclEscape(sMessage); + CString sOpNick = TclEscape(CString(OpNick.GetNick())); + CString sNick = TclEscape(sKickedNick); + CString sOpHost = + TclEscape(CString(OpNick.GetIdent() + "@" + OpNick.GetHost())); ++ CString sChannel = TclEscape(Channel.GetName()); + + CString sCommand = "Binds::ProcessKick {" + sOpNick + "} {" + sOpHost + +- "} - {" + Channel.GetName() + "} {" + sNick + "} {" + +- sMessage + "}"; ++ "} - {" + sChannel + "} {" + sNick + "} {" + ++ sMes + "}"; + int i = Tcl_Eval(interp, sCommand.c_str()); + if (i != TCL_OK) { + PutModule(Tcl_GetStringResult(interp)); diff --git a/meta-networking/recipes-irc/znc/znc_1.8.2.bb b/meta-networking/recipes-irc/znc/znc_1.8.2.bb index 68dd0702f7..9901344601 100644 --- a/meta-networking/recipes-irc/znc/znc_1.8.2.bb +++ b/meta-networking/recipes-irc/znc/znc_1.8.2.bb @@ -7,6 +7,7 @@ DEPENDS = "openssl zlib icu" SRC_URI = "git://github.com/znc/znc.git;name=znc;branch=master;protocol=https \ git://github.com/jimloco/Csocket.git;destsuffix=git/third_party/Csocket;name=Csocket;branch=master;protocol=https \ + file://CVE-2024-39844.patch \ " SRCREV_znc = "bf253640d33d03331310778e001fb6f5aba2989e" SRCREV_Csocket = "e8d9e0bb248c521c2c7fa01e1c6a116d929c41b4" From patchwork Fri Jan 9 09:28:40 2026 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Ankur Tyagi X-Patchwork-Id: 78322 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id C5B15D167E8 for ; Fri, 9 Jan 2026 09:29:16 +0000 (UTC) Received: from mail-pl1-f173.google.com (mail-pl1-f173.google.com [209.85.214.173]) by mx.groups.io with SMTP id smtpd.msgproc02-g2.6763.1767950955993007907 for ; Fri, 09 Jan 2026 01:29:16 -0800 Authentication-Results: mx.groups.io; dkim=pass header.i=@gmail.com header.s=20230601 header.b=EIlnhFC4; spf=pass (domain: gmail.com, ip: 209.85.214.173, mailfrom: ankur.tyagi85@gmail.com) Received: by mail-pl1-f173.google.com with SMTP id d9443c01a7336-2a0bb2f093aso30240055ad.3 for ; Fri, 09 Jan 2026 01:29:15 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1767950955; x=1768555755; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=8aSlroGKUvGg7Wdwv4mpsUDy4muaL53OXGTlWAWqrwA=; b=EIlnhFC4YoHkeWv9rXU4soOQeo00yasfUTVAb7oIOk+n11mLNT/wDQPMt9uGSWf681 0FBNX3DVdJuhuHyt82FR6ybqbHsiLpF8QCIQthmnCCHvqIgGnCD+fcNOQYcW2QFH2FU2 QwtINkjFiQpGQCaeO5Bcp7L4txrc6RBXP1nLAycM9h5AsfkgqbNe6Xm07sgPL7iu3GZg W8bfQFGyWntpV9oojS2CYNF0nngUhq91Qfh/jumQkYlfHh5GpAuVoGIITNYZ14GOH5VL vYaU4LnzHZBMZYhjY8Slf5FVUdD2cuW0m5haQf+RjLWf3TfODIPvUpmN8o4Kb9bIxGWG Kjkw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1767950955; x=1768555755; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-gg:x-gm-message-state:from :to:cc:subject:date:message-id:reply-to; bh=8aSlroGKUvGg7Wdwv4mpsUDy4muaL53OXGTlWAWqrwA=; b=mXzS9brJLAFEU4jyp9yjbcw/4Cu5HPuR3J4UxchCtQwBDhB/TzujkwCTS6QQF/KVK+ MUWHFiSNl0O9rTa9BACdRE1JnEul8MXgriJRaQkfObFaJoYLZ5Y8aUuFrRIfgl6uRlP3 gnYbsoC3/d5bjgHGRsx/Kbq6+8yBomQth62V74tTdLJMLQ7ivT0eQsG1hbyxeIgwNgnm ePzQZtWxkFSC32kSikMeHUgZdH9maWPBuU2ndDT1+sm6ELXEHKlD3ZUuQqeMrK9SyC7v BMV3XQlwyy1qNpMndh5HLjMADjpeWzcwtj/GSkDxNbsIBCTxCkM/2PqtSYgp7Q6ADamE AhAg== X-Gm-Message-State: AOJu0Yy715ag8Chiz7L2ICAbznTC/Kd3OzvGAEruUGA9uqz/P3xoUEDg l0OQKLi9duKVdaLQo82wPa7sOxdtCUH+usfoRdDd/e3U0BUv8WIuDAqjqX6mfA== X-Gm-Gg: AY/fxX48gL8lhgdztrJHt9lfC/PFVy1Ylt4GJF+/UYyngOqYuIg+q7pZ4zYd8gtZRHk Id2PHuH4f6wVaoNXc11Qfm+ArgAzHxdDerdTHCRUPzYJQHS+ta/N36eHQBlk5Jj4O/MxkY7l+2Q xG7DZxVLxke4tQkfu1E/+P8y8nviI2E9F6wCyf9DZIkFM1p7JsgQN/ek8YlhPbkNKPDl5Xbg5ud 3HGinBVaOxpA3SqDA95NjIqFtGq47eapS+MAkugt2+ebT+dga9VaeatSDlNFAEUfa3Egr60e2yz M7Jtb7szc8AjpATnDArX4WQIG8y3RJ3fqTgrgvxYMNTAu8B6tqOIbrQUmqQT4ooRcc3VhjY6QKJ XyyIVhAU37sKbjffNEBd06QSkqVtUmRxgXq0E1B9ddHiUnm3MzvaoAEK6J4ohRoaZiyqnH8A71F mKJq/IWsfXyKxn4u2CEdmIdC0= X-Google-Smtp-Source: AGHT+IHvQTa55L2rWEw+4aF+yck4j3pqKWwTXtmnyY0lFM/XbGxLr3/4S9DcgFW+qodCBIiVBA4huA== X-Received: by 2002:a17:903:3c30:b0:2a0:fe4a:d67c with SMTP id d9443c01a7336-2a3ee437a5dmr87500945ad.10.1767950955099; Fri, 09 Jan 2026 01:29:15 -0800 (PST) Received: from NVAPF55DW0D-IPD.. ([167.103.127.10]) by smtp.gmail.com with ESMTPSA id d9443c01a7336-2a3e3cc88e3sm99529295ad.75.2026.01.09.01.29.12 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 09 Jan 2026 01:29:14 -0800 (PST) From: ankur.tyagi85@gmail.com To: openembedded-devel@lists.openembedded.org Cc: Ankur Tyagi Subject: [oe][meta-networking][scarthgap][PATCH 10/12] tinyproxy: patch CVE-2025-63938 Date: Fri, 9 Jan 2026 22:28:40 +1300 Message-ID: <20260109092843.1924568-10-ankur.tyagi85@gmail.com> X-Mailer: git-send-email 2.43.0 In-Reply-To: <20260109092843.1924568-1-ankur.tyagi85@gmail.com> References: <20260109092843.1924568-1-ankur.tyagi85@gmail.com> MIME-Version: 1.0 List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Fri, 09 Jan 2026 09:29:16 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-devel/message/123288 From: Ankur Tyagi Details: https://nvd.nist.gov/vuln/detail/CVE-2025-63938 Signed-off-by: Ankur Tyagi --- .../tinyproxy/tinyproxy/CVE-2025-63938.patch | 42 +++++++++++++++++++ .../tinyproxy/tinyproxy_1.11.1.bb | 1 + 2 files changed, 43 insertions(+) create mode 100644 meta-networking/recipes-support/tinyproxy/tinyproxy/CVE-2025-63938.patch diff --git a/meta-networking/recipes-support/tinyproxy/tinyproxy/CVE-2025-63938.patch b/meta-networking/recipes-support/tinyproxy/tinyproxy/CVE-2025-63938.patch new file mode 100644 index 0000000000..27b1440b23 --- /dev/null +++ b/meta-networking/recipes-support/tinyproxy/tinyproxy/CVE-2025-63938.patch @@ -0,0 +1,42 @@ +From a8167245203adb6cae66f04e4d493a4710b993ae Mon Sep 17 00:00:00 2001 +From: rofl0r +Date: Fri, 17 Oct 2025 22:57:39 +0000 +Subject: [PATCH] reqs: fix integer overflow in port number processing + +closes #586 + +CVE: CVE-2025-63938 +Upstream-Status: Backport [https://github.com/tinyproxy/tinyproxy/commit/3c0fde94981b025271ffa1788ae425257841bf5a] +(cherry picked from commit 3c0fde94981b025271ffa1788ae425257841bf5a) +Signed-off-by: Ankur Tyagi +--- + src/reqs.c | 9 ++++++--- + 1 file changed, 6 insertions(+), 3 deletions(-) + +diff --git a/src/reqs.c b/src/reqs.c +index 705ce11..b6a7d27 100644 +--- a/src/reqs.c ++++ b/src/reqs.c +@@ -174,7 +174,7 @@ static int strip_return_port (char *host) + { + char *ptr1; + char *ptr2; +- int port; ++ unsigned port; + + ptr1 = strrchr (host, ':'); + if (ptr1 == NULL) +@@ -186,8 +186,11 @@ static int strip_return_port (char *host) + return 0; + + *ptr1++ = '\0'; +- if (sscanf (ptr1, "%d", &port) != 1) /* one conversion required */ +- return 0; ++ ++ port = atoi(ptr1); ++ /* check that port string is in the valid range 1-0xffff) */ ++ if(strlen(ptr1) > 5 || (port & 0xffff0000)) return 0; ++ + return port; + } + diff --git a/meta-networking/recipes-support/tinyproxy/tinyproxy_1.11.1.bb b/meta-networking/recipes-support/tinyproxy/tinyproxy_1.11.1.bb index 8aff50fac8..00e25254a8 100644 --- a/meta-networking/recipes-support/tinyproxy/tinyproxy_1.11.1.bb +++ b/meta-networking/recipes-support/tinyproxy/tinyproxy_1.11.1.bb @@ -9,6 +9,7 @@ SRC_URI = "https://github.com/${BPN}/${BPN}/releases/download/${PV}/${BP}.tar.gz file://tinyproxy.conf \ file://CVE-2022-40468.patch \ file://0001-CVE-2023-49606.patch \ + file://CVE-2025-63938.patch \ " SRC_URI[sha256sum] = "1574acf7ba83c703a89e98bb2758a4ed9fda456f092624b33cfcf0ce2d3b2047" From patchwork Fri Jan 9 09:28:41 2026 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Ankur Tyagi X-Patchwork-Id: 78325 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id C1FBCD167E2 for ; Fri, 9 Jan 2026 09:29:26 +0000 (UTC) Received: from mail-pg1-f175.google.com (mail-pg1-f175.google.com [209.85.215.175]) by mx.groups.io with SMTP id smtpd.msgproc02-g2.6764.1767950958846960762 for ; Fri, 09 Jan 2026 01:29:18 -0800 Authentication-Results: mx.groups.io; dkim=pass header.i=@gmail.com header.s=20230601 header.b=cJR16rDn; spf=pass (domain: gmail.com, ip: 209.85.215.175, mailfrom: ankur.tyagi85@gmail.com) Received: by mail-pg1-f175.google.com with SMTP id 41be03b00d2f7-c47ee987401so1252971a12.1 for ; Fri, 09 Jan 2026 01:29:18 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1767950958; x=1768555758; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=KXEZ/Xif13+HCHrFDuRxt5e3NwrYcSviKupvNI/gezA=; b=cJR16rDnusmDuHquDp11nPD28Cd8zyF0zg+1qSP0+CczB2GAPcIC9rAN+4FsBNH1G7 Z6xteXRgQx9RyAl7evlIvUq8qDJO3yNBSjGZnr7cuyigv8iRFJIH6p/Q0nsxbIEYQJ0K 5cWJNF1YE9/0UWEchuguAmItBEi8yYhBnOISrq/06cPOdT0mOI15lk1CacfP5Lia1zSr GPD1EXeKNm+rWZfiz4EmPhJc4YK549aUpi/+xWbhKCo+d2OLmRb3pf594t6fhqGftIOF DHQYuGxoknYyq8FFuXzpqzET/1+HUuRdtSmqKNHxjhMdawidTyA7MX+vIkwgB9GYe8nQ 656A== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1767950958; x=1768555758; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-gg:x-gm-message-state:from :to:cc:subject:date:message-id:reply-to; bh=KXEZ/Xif13+HCHrFDuRxt5e3NwrYcSviKupvNI/gezA=; b=RP+xQ6TvjxxF6TSfSpUJ4CcDtw1Pjd4tAR4Z5XnxXtc3mBKaTh71oiW7TvyktNrftX MZ/DU694XbwLgHa+26GrsPV+zJXbJ1zYHUgICcmvf33iNWjkq0M7FkNRtWW/1x3QMMmV i8sYY0Unk2rsOr016Kpm9JbaAp/8HUZI4Q25N/WC95iKdWrqu3u4khr/csehkFdxH5sj SmpTxC6R4QW+r3YCUdsMD/2lszt0VYRwrG+YFDpdEWz11oFP4jcOaA3wEtn85WJm3rjO owA58oVvKK4isbeP4DHusF3Sc8JFWVERlXKNjZTayrlnip0XDf8gBTW6nAt+b64iI7TP /vAA== X-Gm-Message-State: AOJu0Ywvn7Glv44i7A7VjZWbhOjet9ab7jfM0QRqUEPuPY8f8ngnF3Y8 5Sf5QbCKO2pRJd3xjPaCaOPWbZklSW17gRVPrWyM81OOtAzl2Xrc5R/v3BWskw== X-Gm-Gg: AY/fxX4TV7blcOULNByAOXyFNIXT3Cpx5SYj7XrizulFyLaEX08wYyUmgRHfUF4BsCT OBH8FCq0Q5I1FdcF0GPU2K5SmT+uL3lsk5rCKk4BszRZJ4KqANI4qmCVKJ1HQzIyfGHJ6HiBLHX GXzpbZN+1YQ4rcfWuAIWE9bHTCmWB7nrg0S1DCBv2FhIwH/MUiEgXu6rU3kY7833eD4LFuqTLB0 iZmu8jSOjFckPrpjcmdbysIQlsOrpus9SZYxQ8Y+i7msL5gx96q5mfAPuDi1V3x82LXJV1jKU05 Fa/Z48Ux1RJLFhxBwJqzFQyHKIO0N3fNbxM+YtvxxIZjtGinUkwVSylnEmto+FWvrhLAqmgZ95h fSccrOJLZl8VSkXcLFg3mCOmm3pDOgdNAegMHax6kMhHTtbxGCb3LcuxT2KweOmQdaJQ2gBaIMx 36xU9yXAg9ULqqO/vMyqHl5eY= X-Google-Smtp-Source: AGHT+IF4drDpYL8F0RBIJJd2UGg9nP86+Nwk1vZ5+DVMf4uNiCiSffoKvznt5uQEBIfoehzh5zFOVw== X-Received: by 2002:a05:6a20:6a04:b0:342:a261:e2c9 with SMTP id adf61e73a8af0-3898e9c6f99mr9490074637.8.1767950957722; Fri, 09 Jan 2026 01:29:17 -0800 (PST) Received: from NVAPF55DW0D-IPD.. ([167.103.127.10]) by smtp.gmail.com with ESMTPSA id d9443c01a7336-2a3e3cc88e3sm99529295ad.75.2026.01.09.01.29.15 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 09 Jan 2026 01:29:17 -0800 (PST) From: ankur.tyagi85@gmail.com To: openembedded-devel@lists.openembedded.org Cc: Ankur Tyagi Subject: [oe][meta-networking][scarthgap][PATCH 11/12] wolfssl: patch CVE-2025-7394 Date: Fri, 9 Jan 2026 22:28:41 +1300 Message-ID: <20260109092843.1924568-11-ankur.tyagi85@gmail.com> X-Mailer: git-send-email 2.43.0 In-Reply-To: <20260109092843.1924568-1-ankur.tyagi85@gmail.com> References: <20260109092843.1924568-1-ankur.tyagi85@gmail.com> MIME-Version: 1.0 List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Fri, 09 Jan 2026 09:29:26 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-devel/message/123289 From: Ankur Tyagi Details: https://nvd.nist.gov/vuln/detail/CVE-2025-7394 Backport patches from the PR[1][2][3] mentioned in the changelog[4]. [1] https://github.com/wolfSSL/wolfssl/pull/8849 [2] https://github.com/wolfSSL/wolfssl/pull/8867 [3] https://github.com/wolfSSL/wolfssl/pull/8898 [4] https://github.com/wolfSSL/wolfssl/blob/master/ChangeLog.md#wolfssl-release-582-july-17-2025 Signed-off-by: Ankur Tyagi --- .../wolfssl/files/CVE-2025-7394-1.patch | 46 +++ .../wolfssl/files/CVE-2025-7394-2.patch | 275 ++++++++++++++++++ .../wolfssl/files/CVE-2025-7394-3.patch | 125 ++++++++ .../wolfssl/files/CVE-2025-7394-4.patch | 85 ++++++ .../wolfssl/files/CVE-2025-7394-5.patch | 40 +++ .../wolfssl/files/CVE-2025-7394-6.patch | 48 +++ .../wolfssl/wolfssl_5.7.2.bb | 6 + 7 files changed, 625 insertions(+) create mode 100644 meta-networking/recipes-connectivity/wolfssl/files/CVE-2025-7394-1.patch create mode 100644 meta-networking/recipes-connectivity/wolfssl/files/CVE-2025-7394-2.patch create mode 100644 meta-networking/recipes-connectivity/wolfssl/files/CVE-2025-7394-3.patch create mode 100644 meta-networking/recipes-connectivity/wolfssl/files/CVE-2025-7394-4.patch create mode 100644 meta-networking/recipes-connectivity/wolfssl/files/CVE-2025-7394-5.patch create mode 100644 meta-networking/recipes-connectivity/wolfssl/files/CVE-2025-7394-6.patch diff --git a/meta-networking/recipes-connectivity/wolfssl/files/CVE-2025-7394-1.patch b/meta-networking/recipes-connectivity/wolfssl/files/CVE-2025-7394-1.patch new file mode 100644 index 0000000000..e561b266f0 --- /dev/null +++ b/meta-networking/recipes-connectivity/wolfssl/files/CVE-2025-7394-1.patch @@ -0,0 +1,46 @@ +From 6d0ee56813d69eee72108e1dc859743e02f70077 Mon Sep 17 00:00:00 2001 +From: Josh Holtrop +Date: Thu, 5 Jun 2025 19:48:34 -0400 +Subject: [PATCH] Reseed DRBG in RAND_poll() + +CVE: CVE-2025-7394 +Upstream-Status: Backport [https://github.com/wolfSSL/wolfssl/commit/0c12337194ee6dd082f082f0ccaed27fc4ee44f5] +(cherry picked from commit 0c12337194ee6dd082f082f0ccaed27fc4ee44f5) +Signed-off-by: Ankur Tyagi +--- + src/ssl.c | 20 +++++++++++++++++--- + 1 file changed, 17 insertions(+), 3 deletions(-) + +diff --git a/src/ssl.c b/src/ssl.c +index 9ba891d62..a1421d523 100644 +--- a/src/ssl.c ++++ b/src/ssl.c +@@ -24159,11 +24159,25 @@ int wolfSSL_RAND_poll(void) + return WOLFSSL_FAILURE; + } + ret = wc_GenerateSeed(&globalRNG.seed, entropy, entropy_sz); +- if (ret != 0){ ++ if (ret != 0) { + WOLFSSL_MSG("Bad wc_RNG_GenerateBlock"); + ret = WOLFSSL_FAILURE; +- }else +- ret = WOLFSSL_SUCCESS; ++ } ++ else { ++#ifdef HAVE_HASHDRBG ++ ret = wc_RNG_DRBG_Reseed(&globalRNG, entropy, entropy_sz); ++ if (ret != 0) { ++ WOLFSSL_MSG("Error reseeding DRBG"); ++ ret = WOLFSSL_FAILURE; ++ } ++ else { ++ ret = WOLFSSL_SUCCESS; ++ } ++#else ++ WOLFSSL_MSG("RAND_poll called with HAVE_HASHDRBG not set"); ++ ret = WOLFSSL_FAILURE; ++#endif ++ } + + return ret; + } diff --git a/meta-networking/recipes-connectivity/wolfssl/files/CVE-2025-7394-2.patch b/meta-networking/recipes-connectivity/wolfssl/files/CVE-2025-7394-2.patch new file mode 100644 index 0000000000..883a5a1137 --- /dev/null +++ b/meta-networking/recipes-connectivity/wolfssl/files/CVE-2025-7394-2.patch @@ -0,0 +1,275 @@ +From b506ed4aeb2c86788422427624a03eb9bda52efc Mon Sep 17 00:00:00 2001 +From: JacobBarthelmeh +Date: Tue, 10 Jun 2025 12:49:08 -0600 +Subject: [PATCH] add sanity checks on pid with RNG + +CVE: CVE-2025-7394 +Upstream-Status: Backport [https://github.com/wolfSSL/wolfssl/commit/31490ab813a5aac096f50800c26c690d8ae586d2] +Signed-off-by: Ankur Tyagi +--- + CMakeLists.txt | 1 + + configure.ac | 4 +- + src/ssl.c | 40 +++++++++++- + wolfcrypt/src/random.c | 126 ++++++++++++++++++++++--------------- + wolfssl/wolfcrypt/random.h | 3 + + 5 files changed, 118 insertions(+), 56 deletions(-) + +diff --git a/CMakeLists.txt b/CMakeLists.txt +index 4e6f05fc6..910a36648 100644 +--- a/CMakeLists.txt ++++ b/CMakeLists.txt +@@ -124,6 +124,7 @@ check_function_exists("memset" HAVE_MEMSET) + check_function_exists("socket" HAVE_SOCKET) + check_function_exists("strftime" HAVE_STRFTIME) + check_function_exists("__atomic_fetch_add" HAVE_C___ATOMIC) ++check_function_exists("getpid" HAVE_GETPID) + + include(CheckTypeSize) + +diff --git a/configure.ac b/configure.ac +index c973b7e39..43ddd4767 100644 +--- a/configure.ac ++++ b/configure.ac +@@ -125,8 +125,8 @@ AC_CHECK_HEADER(stdatomic.h, [AM_CPPFLAGS="$AM_CPPFLAGS -DWOLFSSL_HAVE_ATOMIC_H" + # check if functions of interest are linkable, but also check if + # they're declared by the expected headers, and if not, supersede the + # unusable positive from AC_CHECK_FUNCS(). +-AC_CHECK_FUNCS([gethostbyname getaddrinfo gettimeofday gmtime_r gmtime_s inet_ntoa memset socket strftime atexit]) +-AC_CHECK_DECLS([gethostbyname, getaddrinfo, gettimeofday, gmtime_r, gmtime_s, inet_ntoa, memset, socket, strftime, atexit], [], [ ++AC_CHECK_FUNCS([gethostbyname getaddrinfo gettimeofday gmtime_r gmtime_s inet_ntoa memset socket strftime atexit getpid]) ++AC_CHECK_DECLS([gethostbyname, getaddrinfo, gettimeofday, gmtime_r, gmtime_s, inet_ntoa, memset, socket, strftime, atexit, getpid], [], [ + if test "$(eval echo \$"$(eval 'echo ac_cv_func_${as_decl_name}')")" = "yes" + then + AC_MSG_NOTICE([ note: earlier check for $(eval 'echo ${as_decl_name}') superseded.]) +diff --git a/src/ssl.c b/src/ssl.c +index a1421d523..872aed594 100644 +--- a/src/ssl.c ++++ b/src/ssl.c +@@ -23615,6 +23615,10 @@ int wolfSSL_RAND_Init(void) + if (initGlobalRNG == 0) { + ret = wc_InitRng(&globalRNG); + if (ret == 0) { ++ #if defined(HAVE_GETPID) && defined(HAVE_FIPS) && \ ++ FIPS_VERSION3_LT(6,0,0))) ++ currentPid = getpid(); ++ #endif + initGlobalRNG = 1; + ret = WOLFSSL_SUCCESS; + } +@@ -24045,8 +24049,30 @@ int wolfSSL_RAND_pseudo_bytes(unsigned char* buf, int num) + return ret; + } + +-/* returns WOLFSSL_SUCCESS if the bytes generated are valid otherwise +- * WOLFSSL_FAILURE */ ++#if defined(HAVE_GETPID) && defined(HAVE_FIPS) && FIPS_VERSION3_LT(6,0,0))) ++/* In older FIPS bundles add check for reseed here since it does not exist in ++ * the older random.c certified files. */ ++static pid_t currentPid = 0; ++ ++/* returns WOLFSSL_SUCCESS on success and WOLFSSL_FAILURE on failure */ ++static int RandCheckReSeed() ++{ ++ int ret = WOLFSSL_SUCCESS; ++ pid_t p; ++ ++ p = getpid(); ++ if (p != currentPid) { ++ currentPid = p; ++ if (wolfSSL_RAND_poll() != WOLFSSL_SUCCESS) { ++ ret = WOLFSSL_FAILURE; ++ } ++ } ++ return ret; ++} ++#endif ++ ++/* returns WOLFSSL_SUCCESS (1) if the bytes generated are valid otherwise 0 ++ * on failure */ + int wolfSSL_RAND_bytes(unsigned char* buf, int num) + { + int ret = 0; +@@ -24089,6 +24115,16 @@ int wolfSSL_RAND_bytes(unsigned char* buf, int num) + */ + if (initGlobalRNG) { + rng = &globalRNG; ++ ++ #if defined(HAVE_GETPID) && defined(HAVE_FIPS) && \ ++ FIPS_VERSION3_LT(6,0,0))) ++ if (RandCheckReSeed() != WOLFSSL_SUCCESS) { ++ wc_UnLockMutex(&globalRNGMutex); ++ WOLFSSL_MSG("Issue with check pid and reseed"); ++ return ret; ++ } ++ #endif ++ + used_global = 1; + } + else { +diff --git a/wolfcrypt/src/random.c b/wolfcrypt/src/random.c +index 89c7411c9..b440e274b 100644 +--- a/wolfcrypt/src/random.c ++++ b/wolfcrypt/src/random.c +@@ -1599,6 +1599,9 @@ static int _InitRng(WC_RNG* rng, byte* nonce, word32 nonceSz, + #else + rng->heap = heap; + #endif ++#ifdef HAVE_GETPID ++ rng->pid = getpid(); ++#endif + #if defined(WOLFSSL_ASYNC_CRYPT) || defined(WOLF_CRYPTO_CB) + rng->devId = devId; + #if defined(WOLF_CRYPTO_CB) +@@ -1849,6 +1852,63 @@ int wc_InitRngNonce_ex(WC_RNG* rng, byte* nonce, word32 nonceSz, + return _InitRng(rng, nonce, nonceSz, heap, devId); + } + ++#ifdef HAVE_HASHDRBG ++static int PollAndReSeed(WC_RNG* rng) ++{ ++ int ret = DRBG_NEED_RESEED; ++ int devId = INVALID_DEVID; ++#if defined(WOLFSSL_ASYNC_CRYPT) || defined(WOLF_CRYPTO_CB) ++ devId = rng->devId; ++#endif ++ if (wc_RNG_HealthTestLocal(1, rng->heap, devId) == 0) { ++ #ifndef WOLFSSL_SMALL_STACK ++ byte newSeed[SEED_SZ + SEED_BLOCK_SZ]; ++ ret = DRBG_SUCCESS; ++ #else ++ byte* newSeed = (byte*)XMALLOC(SEED_SZ + SEED_BLOCK_SZ, rng->heap, ++ DYNAMIC_TYPE_SEED); ++ ret = (newSeed == NULL) ? MEMORY_E : DRBG_SUCCESS; ++ #endif ++ if (ret == DRBG_SUCCESS) { ++ #ifdef WC_RNG_SEED_CB ++ if (seedCb == NULL) { ++ ret = DRBG_NO_SEED_CB; ++ } ++ else { ++ ret = seedCb(&rng->seed, newSeed, SEED_SZ + SEED_BLOCK_SZ); ++ if (ret != 0) { ++ ret = DRBG_FAILURE; ++ } ++ } ++ #else ++ ret = wc_GenerateSeed(&rng->seed, newSeed, ++ SEED_SZ + SEED_BLOCK_SZ); ++ #endif ++ if (ret != 0) ++ ret = DRBG_FAILURE; ++ } ++ if (ret == DRBG_SUCCESS) ++ ret = wc_RNG_TestSeed(newSeed, SEED_SZ + SEED_BLOCK_SZ); ++ ++ if (ret == DRBG_SUCCESS) ++ ret = Hash_DRBG_Reseed((DRBG_internal *)rng->drbg, ++ newSeed + SEED_BLOCK_SZ, SEED_SZ); ++ #ifdef WOLFSSL_SMALL_STACK ++ if (newSeed != NULL) { ++ ForceZero(newSeed, SEED_SZ + SEED_BLOCK_SZ); ++ } ++ XFREE(newSeed, rng->heap, DYNAMIC_TYPE_SEED); ++ #else ++ ForceZero(newSeed, sizeof(newSeed)); ++ #endif ++ } ++ else { ++ ret = DRBG_CONT_FAILURE; ++ } ++ ++ return ret; ++} ++#endif + + /* place a generated block in output */ + WOLFSSL_ABI +@@ -1908,60 +1968,22 @@ int wc_RNG_GenerateBlock(WC_RNG* rng, byte* output, word32 sz) + if (rng->status != DRBG_OK) + return RNG_FAILURE_E; + ++#ifdef HAVE_GETPID ++ if (rng->pid != getpid()) { ++ rng->pid = getpid(); ++ ret = PollAndReSeed(rng); ++ if (ret != DRBG_SUCCESS) { ++ rng->status = DRBG_FAILED; ++ return RNG_FAILURE_E; ++ } ++ } ++#endif ++ + ret = Hash_DRBG_Generate((DRBG_internal *)rng->drbg, output, sz); + if (ret == DRBG_NEED_RESEED) { +- int devId = INVALID_DEVID; +- #if defined(WOLFSSL_ASYNC_CRYPT) || defined(WOLF_CRYPTO_CB) +- devId = rng->devId; +- #endif +- if (wc_RNG_HealthTestLocal(1, rng->heap, devId) == 0) { +- #ifndef WOLFSSL_SMALL_STACK +- byte newSeed[SEED_SZ + SEED_BLOCK_SZ]; +- ret = DRBG_SUCCESS; +- #else +- byte* newSeed = (byte*)XMALLOC(SEED_SZ + SEED_BLOCK_SZ, rng->heap, +- DYNAMIC_TYPE_SEED); +- ret = (newSeed == NULL) ? MEMORY_E : DRBG_SUCCESS; +- #endif +- if (ret == DRBG_SUCCESS) { +- #ifdef WC_RNG_SEED_CB +- if (seedCb == NULL) { +- ret = DRBG_NO_SEED_CB; +- } +- else { +- ret = seedCb(&rng->seed, newSeed, SEED_SZ + SEED_BLOCK_SZ); +- if (ret != 0) { +- ret = DRBG_FAILURE; +- } +- } +- #else +- ret = wc_GenerateSeed(&rng->seed, newSeed, +- SEED_SZ + SEED_BLOCK_SZ); +- #endif +- if (ret != 0) +- ret = DRBG_FAILURE; +- } +- if (ret == DRBG_SUCCESS) +- ret = wc_RNG_TestSeed(newSeed, SEED_SZ + SEED_BLOCK_SZ); +- +- if (ret == DRBG_SUCCESS) +- ret = Hash_DRBG_Reseed((DRBG_internal *)rng->drbg, +- newSeed + SEED_BLOCK_SZ, SEED_SZ); +- if (ret == DRBG_SUCCESS) +- ret = Hash_DRBG_Generate((DRBG_internal *)rng->drbg, output, sz); +- +- #ifdef WOLFSSL_SMALL_STACK +- if (newSeed != NULL) { +- ForceZero(newSeed, SEED_SZ + SEED_BLOCK_SZ); +- } +- XFREE(newSeed, rng->heap, DYNAMIC_TYPE_SEED); +- #else +- ForceZero(newSeed, sizeof(newSeed)); +- #endif +- } +- else { +- ret = DRBG_CONT_FAILURE; +- } ++ ret = PollAndReSeed(rng); ++ if (ret == DRBG_SUCCESS) ++ ret = Hash_DRBG_Generate((DRBG_internal *)rng->drbg, output, sz); + } + + if (ret == DRBG_SUCCESS) { +diff --git a/wolfssl/wolfcrypt/random.h b/wolfssl/wolfcrypt/random.h +index 9dd616328..f472e1f40 100644 +--- a/wolfssl/wolfcrypt/random.h ++++ b/wolfssl/wolfcrypt/random.h +@@ -183,6 +183,9 @@ struct WC_RNG { + #endif + byte status; + #endif ++#ifdef HAVE_GETPID ++ pid_t pid; ++#endif + #ifdef WOLFSSL_ASYNC_CRYPT + WC_ASYNC_DEV asyncDev; + #endif diff --git a/meta-networking/recipes-connectivity/wolfssl/files/CVE-2025-7394-3.patch b/meta-networking/recipes-connectivity/wolfssl/files/CVE-2025-7394-3.patch new file mode 100644 index 0000000000..e70a3fec80 --- /dev/null +++ b/meta-networking/recipes-connectivity/wolfssl/files/CVE-2025-7394-3.patch @@ -0,0 +1,125 @@ +From 62a3a4f0b8b307bdacc34204db44627521de4bf9 Mon Sep 17 00:00:00 2001 +From: JacobBarthelmeh +Date: Tue, 10 Jun 2025 14:15:38 -0600 +Subject: [PATCH] add mutex locking and compat layer FIPS case + +CVE: CVE-2025-7394 +Upstream-Status: Backport [https://github.com/wolfSSL/wolfssl/commit/fbbb6b7707f7f8ae1c38ab68daec0af02ee0208a] +(cherry picked from commit fbbb6b7707f7f8ae1c38ab68daec0af02ee0208a) +Signed-off-by: Ankur Tyagi +--- + src/ssl.c | 62 +++++++++++++++++++++++++++---------------------------- + 1 file changed, 31 insertions(+), 31 deletions(-) + +diff --git a/src/ssl.c b/src/ssl.c +index 872aed594..f0186b253 100644 +--- a/src/ssl.c ++++ b/src/ssl.c +@@ -23603,6 +23603,12 @@ static int wolfSSL_RAND_InitMutex(void) + + #ifdef OPENSSL_EXTRA + ++#if defined(HAVE_GETPID) && defined(HAVE_FIPS) && FIPS_VERSION3_LT(6,0,0) ++/* In older FIPS bundles add check for reseed here since it does not exist in ++ * the older random.c certified files. */ ++static pid_t currentRandPid = 0; ++#endif ++ + /* Checks if the global RNG has been created. If not then one is created. + * + * Returns WOLFSSL_SUCCESS when no error is encountered. +@@ -23616,8 +23622,8 @@ int wolfSSL_RAND_Init(void) + ret = wc_InitRng(&globalRNG); + if (ret == 0) { + #if defined(HAVE_GETPID) && defined(HAVE_FIPS) && \ +- FIPS_VERSION3_LT(6,0,0))) +- currentPid = getpid(); ++ FIPS_VERSION3_LT(6,0,0) ++ currentRandPid = getpid(); + #endif + initGlobalRNG = 1; + ret = WOLFSSL_SUCCESS; +@@ -24049,28 +24055,6 @@ int wolfSSL_RAND_pseudo_bytes(unsigned char* buf, int num) + return ret; + } + +-#if defined(HAVE_GETPID) && defined(HAVE_FIPS) && FIPS_VERSION3_LT(6,0,0))) +-/* In older FIPS bundles add check for reseed here since it does not exist in +- * the older random.c certified files. */ +-static pid_t currentPid = 0; +- +-/* returns WOLFSSL_SUCCESS on success and WOLFSSL_FAILURE on failure */ +-static int RandCheckReSeed() +-{ +- int ret = WOLFSSL_SUCCESS; +- pid_t p; +- +- p = getpid(); +- if (p != currentPid) { +- currentPid = p; +- if (wolfSSL_RAND_poll() != WOLFSSL_SUCCESS) { +- ret = WOLFSSL_FAILURE; +- } +- } +- return ret; +-} +-#endif +- + /* returns WOLFSSL_SUCCESS (1) if the bytes generated are valid otherwise 0 + * on failure */ + int wolfSSL_RAND_bytes(unsigned char* buf, int num) +@@ -24114,17 +24098,27 @@ int wolfSSL_RAND_bytes(unsigned char* buf, int num) + * have the lock. + */ + if (initGlobalRNG) { +- rng = &globalRNG; +- + #if defined(HAVE_GETPID) && defined(HAVE_FIPS) && \ +- FIPS_VERSION3_LT(6,0,0))) +- if (RandCheckReSeed() != WOLFSSL_SUCCESS) { ++ FIPS_VERSION3_LT(6,0,0) ++ pid_t p; ++ ++ p = getpid(); ++ if (p != currentRandPid) { + wc_UnLockMutex(&globalRNGMutex); +- WOLFSSL_MSG("Issue with check pid and reseed"); +- return ret; ++ if (wolfSSL_RAND_poll() != WOLFSSL_SUCCESS) { ++ WOLFSSL_MSG("Issue with check pid and reseed"); ++ ret = WOLFSSL_FAILURE; ++ } ++ ++ /* reclaim lock after wolfSSL_RAND_poll */ ++ if (wc_LockMutex(&globalRNGMutex) != 0) { ++ WOLFSSL_MSG("Bad Lock Mutex rng"); ++ return ret; ++ } ++ currentRandPid = p; + } + #endif +- ++ rng = &globalRNG; + used_global = 1; + } + else { +@@ -24201,6 +24195,11 @@ int wolfSSL_RAND_poll(void) + } + else { + #ifdef HAVE_HASHDRBG ++ if (wc_LockMutex(&globalRNGMutex) != 0) { ++ WOLFSSL_MSG("Bad Lock Mutex rng"); ++ return ret; ++ } ++ + ret = wc_RNG_DRBG_Reseed(&globalRNG, entropy, entropy_sz); + if (ret != 0) { + WOLFSSL_MSG("Error reseeding DRBG"); +@@ -24209,6 +24208,7 @@ int wolfSSL_RAND_poll(void) + else { + ret = WOLFSSL_SUCCESS; + } ++ wc_UnLockMutex(&globalRNGMutex); + #else + WOLFSSL_MSG("RAND_poll called with HAVE_HASHDRBG not set"); + ret = WOLFSSL_FAILURE; diff --git a/meta-networking/recipes-connectivity/wolfssl/files/CVE-2025-7394-4.patch b/meta-networking/recipes-connectivity/wolfssl/files/CVE-2025-7394-4.patch new file mode 100644 index 0000000000..7d6413f7ca --- /dev/null +++ b/meta-networking/recipes-connectivity/wolfssl/files/CVE-2025-7394-4.patch @@ -0,0 +1,85 @@ +From d7a68e85ebe4705e7345b0e5012c806615cd86c7 Mon Sep 17 00:00:00 2001 +From: JacobBarthelmeh +Date: Tue, 10 Jun 2025 16:12:09 -0600 +Subject: [PATCH] add a way to restore previous pid behavior + +CVE: CVE-2025-7394 +Upstream-Status: Backport [https://github.com/wolfSSL/wolfssl/commit/47cf634965a3aabe82fd97a8feed9efd6688e34a] +Signed-off-by: Ankur Tyagi +--- + src/ssl.c | 11 ++++++----- + wolfcrypt/src/random.c | 4 ++-- + wolfssl/wolfcrypt/random.h | 2 +- + 3 files changed, 9 insertions(+), 8 deletions(-) + +diff --git a/src/ssl.c b/src/ssl.c +index f0186b253..e214fa504 100644 +--- a/src/ssl.c ++++ b/src/ssl.c +@@ -23603,7 +23603,8 @@ static int wolfSSL_RAND_InitMutex(void) + + #ifdef OPENSSL_EXTRA + +-#if defined(HAVE_GETPID) && defined(HAVE_FIPS) && FIPS_VERSION3_LT(6,0,0) ++#if defined(HAVE_GETPID) && !defined(WOLFSSL_NO_GETPID) && \ ++ defined(HAVE_FIPS) && FIPS_VERSION3_LT(6,0,0) + /* In older FIPS bundles add check for reseed here since it does not exist in + * the older random.c certified files. */ + static pid_t currentRandPid = 0; +@@ -23621,8 +23622,8 @@ int wolfSSL_RAND_Init(void) + if (initGlobalRNG == 0) { + ret = wc_InitRng(&globalRNG); + if (ret == 0) { +- #if defined(HAVE_GETPID) && defined(HAVE_FIPS) && \ +- FIPS_VERSION3_LT(6,0,0) ++ #if defined(HAVE_GETPID) && !defined(WOLFSSL_NO_GETPID) && \ ++ defined(HAVE_FIPS) && FIPS_VERSION3_LT(6,0,0) + currentRandPid = getpid(); + #endif + initGlobalRNG = 1; +@@ -24098,8 +24099,8 @@ int wolfSSL_RAND_bytes(unsigned char* buf, int num) + * have the lock. + */ + if (initGlobalRNG) { +- #if defined(HAVE_GETPID) && defined(HAVE_FIPS) && \ +- FIPS_VERSION3_LT(6,0,0) ++ #if defined(HAVE_GETPID) && !defined(WOLFSSL_NO_GETPID) && \ ++ defined(HAVE_FIPS) && FIPS_VERSION3_LT(6,0,0) + pid_t p; + + p = getpid(); +diff --git a/wolfcrypt/src/random.c b/wolfcrypt/src/random.c +index b440e274b..dc89db542 100644 +--- a/wolfcrypt/src/random.c ++++ b/wolfcrypt/src/random.c +@@ -1599,7 +1599,7 @@ static int _InitRng(WC_RNG* rng, byte* nonce, word32 nonceSz, + #else + rng->heap = heap; + #endif +-#ifdef HAVE_GETPID ++#if defined(HAVE_GETPID) && !defined(WOLFSSL_NO_GETPID) + rng->pid = getpid(); + #endif + #if defined(WOLFSSL_ASYNC_CRYPT) || defined(WOLF_CRYPTO_CB) +@@ -1968,7 +1968,7 @@ int wc_RNG_GenerateBlock(WC_RNG* rng, byte* output, word32 sz) + if (rng->status != DRBG_OK) + return RNG_FAILURE_E; + +-#ifdef HAVE_GETPID ++#if defined(HAVE_GETPID) && !defined(WOLFSSL_NO_GETPID) + if (rng->pid != getpid()) { + rng->pid = getpid(); + ret = PollAndReSeed(rng); +diff --git a/wolfssl/wolfcrypt/random.h b/wolfssl/wolfcrypt/random.h +index f472e1f40..320641548 100644 +--- a/wolfssl/wolfcrypt/random.h ++++ b/wolfssl/wolfcrypt/random.h +@@ -183,7 +183,7 @@ struct WC_RNG { + #endif + byte status; + #endif +-#ifdef HAVE_GETPID ++#if defined(HAVE_GETPID) && !defined(WOLFSSL_NO_GETPID) + pid_t pid; + #endif + #ifdef WOLFSSL_ASYNC_CRYPT diff --git a/meta-networking/recipes-connectivity/wolfssl/files/CVE-2025-7394-5.patch b/meta-networking/recipes-connectivity/wolfssl/files/CVE-2025-7394-5.patch new file mode 100644 index 0000000000..6747f24352 --- /dev/null +++ b/meta-networking/recipes-connectivity/wolfssl/files/CVE-2025-7394-5.patch @@ -0,0 +1,40 @@ +From 670437d91ae3025b4721eb4f450e5dc31fc3d6ee Mon Sep 17 00:00:00 2001 +From: Chris Conlon +Date: Wed, 18 Jun 2025 16:08:34 -0600 +Subject: [PATCH] Add HAVE_GETPID to options.h if getpid detected, needed for + apps to correctly detect size of WC_RNG struct + +CVE: CVE-2025-7394 +Upstream-Status: Backport [https://github.com/wolfSSL/wolfssl/commit/9c35c0de65e135e621400958f22829c0d2555ed4] +Signed-off-by: Ankur Tyagi +--- + configure.ac | 9 +++++++++ + 1 file changed, 9 insertions(+) + +diff --git a/configure.ac b/configure.ac +index 43ddd4767..636c45aef 100644 +--- a/configure.ac ++++ b/configure.ac +@@ -156,6 +156,9 @@ fi + #ifdef HAVE_STDLIB_H + #include + #endif ++#ifdef HAVE_UNISTD_H ++ #include ++#endif + ]]) + + AC_PROG_INSTALL +@@ -9479,6 +9482,12 @@ then + AM_CFLAGS="$AM_CFLAGS -DHAVE___UINT128_T=1" + fi + ++# Add HAVE_GETPID to AM_CFLAGS for inclusion in options.h ++if test "$ac_cv_func_getpid" = "yes" ++then ++ AM_CFLAGS="$AM_CFLAGS -DHAVE_GETPID=1" ++fi ++ + LIB_SOCKET_NSL + AX_HARDEN_CC_COMPILER_FLAGS + diff --git a/meta-networking/recipes-connectivity/wolfssl/files/CVE-2025-7394-6.patch b/meta-networking/recipes-connectivity/wolfssl/files/CVE-2025-7394-6.patch new file mode 100644 index 0000000000..e86bc8bc56 --- /dev/null +++ b/meta-networking/recipes-connectivity/wolfssl/files/CVE-2025-7394-6.patch @@ -0,0 +1,48 @@ +From aaad0035e4e795b8b225bd481e3942de015a362d Mon Sep 17 00:00:00 2001 +From: Chris Conlon +Date: Wed, 18 Jun 2025 16:57:02 -0600 +Subject: [PATCH] Add check for reseed in ssl.c for HAVE_SELFTEST, similar to + old FIPS bundles that do not have older random.c files + +CVE: CVE-2025-7394 +Upstream-Status: Backport [https://github.com/wolfSSL/wolfssl/commit/cdd02f9665ef43126503307972e4389070a00a73 +(cherry picked from commit cdd02f9665ef43126503307972e4389070a00a73) +Signed-off-by: Ankur Tyagi +--- + src/ssl.c | 9 ++++++--- + 1 file changed, 6 insertions(+), 3 deletions(-) + +diff --git a/src/ssl.c b/src/ssl.c +index e214fa504..e538233fc 100644 +--- a/src/ssl.c ++++ b/src/ssl.c +@@ -23604,7 +23604,7 @@ static int wolfSSL_RAND_InitMutex(void) + #ifdef OPENSSL_EXTRA + + #if defined(HAVE_GETPID) && !defined(WOLFSSL_NO_GETPID) && \ +- defined(HAVE_FIPS) && FIPS_VERSION3_LT(6,0,0) ++ ((defined(HAVE_FIPS) && FIPS_VERSION3_LT(6,0,0)) || defined(HAVE_SELFTEST)) + /* In older FIPS bundles add check for reseed here since it does not exist in + * the older random.c certified files. */ + static pid_t currentRandPid = 0; +@@ -23623,7 +23623,9 @@ int wolfSSL_RAND_Init(void) + ret = wc_InitRng(&globalRNG); + if (ret == 0) { + #if defined(HAVE_GETPID) && !defined(WOLFSSL_NO_GETPID) && \ +- defined(HAVE_FIPS) && FIPS_VERSION3_LT(6,0,0) ++ ((defined(HAVE_FIPS) && FIPS_VERSION3_LT(6,0,0)) || \ ++ defined(HAVE_SELFTEST)) ++ + currentRandPid = getpid(); + #endif + initGlobalRNG = 1; +@@ -24100,7 +24102,8 @@ int wolfSSL_RAND_bytes(unsigned char* buf, int num) + */ + if (initGlobalRNG) { + #if defined(HAVE_GETPID) && !defined(WOLFSSL_NO_GETPID) && \ +- defined(HAVE_FIPS) && FIPS_VERSION3_LT(6,0,0) ++ ((defined(HAVE_FIPS) && FIPS_VERSION3_LT(6,0,0)) || \ ++ defined(HAVE_SELFTEST)) + pid_t p; + + p = getpid(); diff --git a/meta-networking/recipes-connectivity/wolfssl/wolfssl_5.7.2.bb b/meta-networking/recipes-connectivity/wolfssl/wolfssl_5.7.2.bb index 5e66c8b186..0dc488dc24 100644 --- a/meta-networking/recipes-connectivity/wolfssl/wolfssl_5.7.2.bb +++ b/meta-networking/recipes-connectivity/wolfssl/wolfssl_5.7.2.bb @@ -17,6 +17,12 @@ SRC_URI = "git://github.com/wolfSSL/wolfssl.git;protocol=https;branch=master \ file://CVE-2025-7395-1.patch \ file://CVE-2025-7395-2.patch \ file://CVE-2025-7395-3.patch \ + file://CVE-2025-7394-1.patch \ + file://CVE-2025-7394-2.patch \ + file://CVE-2025-7394-3.patch \ + file://CVE-2025-7394-4.patch \ + file://CVE-2025-7394-5.patch \ + file://CVE-2025-7394-6.patch \ " SRCREV = "00e42151ca061463ba6a95adb2290f678cbca472" From patchwork Fri Jan 9 09:28:42 2026 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Ankur Tyagi X-Patchwork-Id: 78324 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id C1FF6D167E8 for ; Fri, 9 Jan 2026 09:29:26 +0000 (UTC) Received: from mail-pg1-f174.google.com (mail-pg1-f174.google.com [209.85.215.174]) by mx.groups.io with SMTP id smtpd.msgproc02-g2.6766.1767950961036642695 for ; Fri, 09 Jan 2026 01:29:21 -0800 Authentication-Results: mx.groups.io; dkim=pass header.i=@gmail.com header.s=20230601 header.b=lGMvJadz; spf=pass (domain: gmail.com, ip: 209.85.215.174, mailfrom: ankur.tyagi85@gmail.com) Received: by mail-pg1-f174.google.com with SMTP id 41be03b00d2f7-c2a9a9b43b1so2711687a12.2 for ; Fri, 09 Jan 2026 01:29:20 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1767950960; x=1768555760; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=0dFltR3G6lI7p9HE1U2xtPtXJ4ZQlhX+ekVUBDFnFto=; b=lGMvJadzlUoAXImxXI82lzZ2U37JcC1UJsBvWB+1tQJ5dxIYIhfUlze+nn7fB3hofX d/N9MJ0HvWR+g7f9ANnxWElkj078hntvkKCddSz9udnQiGBFsxL9bLpLN1pFIRBeX5Of Qj2Lhp7TpcYC9lALfn+DS44H/bDfxBp+cNKj5bsfekFYnSxVMXECBbUboMGeO9c7kND3 E7W2gqquRMXcqNy3QY4QIKqfAv8vT7e6EXFOYGOI1i4ELDMppw5RHUgzfBk1x3ZCZe0o 1DYVGkv+1UNW/S7cZkwx0YUFgNU63Q4VrM9ehw/uFjF5QQGQVCWWgtz9Xtrlr5hJhCjS jQMw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1767950960; x=1768555760; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-gg:x-gm-message-state:from :to:cc:subject:date:message-id:reply-to; bh=0dFltR3G6lI7p9HE1U2xtPtXJ4ZQlhX+ekVUBDFnFto=; b=k0ZMEYfA4/vk7rSDGUVF/2KFDVLNhRkAH7ClGGom6yeTimPPjt/QZRWGbVwaXRVmiy WEI7GLwIwcmQPwYZukdjH+bYvhHeyP9LohuPJiGlZz9ImKiOcCZWiZs5APl5qlW/Pd2o 3nCgFx8klUwr2nJbW6uGHfFSeN5d5GtPCK+VcZtzHA8+WRxzLw9eHWBsRMWXqd18DHpf uhxxrXUJ9G5/Mf8TeUz36EK7Xg0u3k2VjFKZbnoFDde1ulx4KF6s+oDoKyFMsDkRkk1v Lbnhhmuf5g23j2FYWSTZIcujMfhp3NHfiJNAxWTGFsZba4ts6c12gfjMpRvtjyPHHh2n c8Pg== X-Gm-Message-State: AOJu0YxuxCaHoXtMA0Q7iGs/XS+PpkvgcrYJpXaUGzfvWBCIIlWItEFR gyI1ULqPgQuNLGjNu1I+6hE09RHJATM2FrauUiKZWjEzmB/xdHSt1AhzMfmEQw== X-Gm-Gg: AY/fxX5bPhq4rI5KodFXDvp3cyAMfQmZns1N1h45BQ07V4HAYRzqlL8KoCC9hSJ4T3T +FixkfOAMufevOQLOtNEN4l3uXm9160gps2unAybxfKOHSJjCvbNz/hyQT1FXp1rf+Jw9qxgzGe XUittdiMgstPEzcWmN8b522edbv7uZIgrNSIewF/Xd063N4SAlVAWKAc7Ozrg86l5KL1ES1yA1W ix/Dt76oGeYI1GAPKiG0jX7rBN3+3QiftlpU1vpGMP5ATLwA9NepRlcMGImK52giizgMK6Eeqdu GWxZXJClgmkqAUCYYuwMSaM39xF9wH8drtn9qgGx4/D7rj4wbpknhM4ySWJ1igu1/QveYLhqSNa VFubqUDBSJku2q6n5u7qxPv67clBGSrcLdX4uRFdyXOpyapZ/yn6cmD5t5qU53ptqlpYVui4o4z 4BB0FTtVAyqdmSu4M6/q667WY= X-Google-Smtp-Source: AGHT+IF71Txsq/igO+FdMkre3nJn+W/FhN898C1oZebx1TiiePjH4MaUpIrQoqbafI+bSY0rFKN2dg== X-Received: by 2002:a05:6a20:7348:b0:366:14ac:e1e7 with SMTP id adf61e73a8af0-3898fa060b3mr8733499637.77.1767950960185; Fri, 09 Jan 2026 01:29:20 -0800 (PST) Received: from NVAPF55DW0D-IPD.. ([167.103.127.10]) by smtp.gmail.com with ESMTPSA id d9443c01a7336-2a3e3cc88e3sm99529295ad.75.2026.01.09.01.29.18 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 09 Jan 2026 01:29:19 -0800 (PST) From: ankur.tyagi85@gmail.com To: openembedded-devel@lists.openembedded.org Cc: Ankur Tyagi Subject: [oe][meta-networking][scarthgap][PATCH 12/12] unbound: patch CVE-2025-5994 Date: Fri, 9 Jan 2026 22:28:42 +1300 Message-ID: <20260109092843.1924568-12-ankur.tyagi85@gmail.com> X-Mailer: git-send-email 2.43.0 In-Reply-To: <20260109092843.1924568-1-ankur.tyagi85@gmail.com> References: <20260109092843.1924568-1-ankur.tyagi85@gmail.com> MIME-Version: 1.0 List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Fri, 09 Jan 2026 09:29:26 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-devel/message/123290 From: Ankur Tyagi Details: https://nvd.nist.gov/vuln/detail/CVE-2025-5994 Signed-off-by: Ankur Tyagi --- .../unbound/unbound/CVE-2025-5994.patch | 276 ++++++++++++++++++ .../recipes-support/unbound/unbound_1.19.3.bb | 1 + 2 files changed, 277 insertions(+) create mode 100644 meta-networking/recipes-support/unbound/unbound/CVE-2025-5994.patch diff --git a/meta-networking/recipes-support/unbound/unbound/CVE-2025-5994.patch b/meta-networking/recipes-support/unbound/unbound/CVE-2025-5994.patch new file mode 100644 index 0000000000..3056fe3683 --- /dev/null +++ b/meta-networking/recipes-support/unbound/unbound/CVE-2025-5994.patch @@ -0,0 +1,276 @@ +From 380b53b92a6824a581f3f6079dfddd73631933fa Mon Sep 17 00:00:00 2001 +From: "W.C.A. Wijngaards" +Date: Wed, 16 Jul 2025 10:02:01 +0200 +Subject: [PATCH] - Fix RebirthDay Attack CVE-2025-5994, reported by Xiang Li + from AOSP Lab Nankai University. + +CVE: CVE-2025-5994 +Upstream-Status: Backport [https://github.com/NLnetLabs/unbound/commit/5bf82f246481098a6473f296b21fc1229d276c0f] +Signed-off-by: Ankur Tyagi +--- + edns-subnet/subnetmod.c | 152 ++++++++++++++++++++++++++++++++++++---- + edns-subnet/subnetmod.h | 4 ++ + 2 files changed, 142 insertions(+), 14 deletions(-) + +diff --git a/edns-subnet/subnetmod.c b/edns-subnet/subnetmod.c +index cefde84e..9c0c914b 100644 +--- a/edns-subnet/subnetmod.c ++++ b/edns-subnet/subnetmod.c +@@ -51,6 +51,7 @@ + #include "services/cache/dns.h" + #include "util/module.h" + #include "util/regional.h" ++#include "util/fptr_wlist.h" + #include "util/storage/slabhash.h" + #include "util/config_file.h" + #include "util/data/msgreply.h" +@@ -152,7 +153,8 @@ int ecs_whitelist_check(struct query_info* qinfo, + + /* Cache by default, might be disabled after parsing EDNS option + * received from nameserver. */ +- if(!iter_stub_fwd_no_cache(qstate, &qstate->qinfo, NULL, NULL)) { ++ if(!iter_stub_fwd_no_cache(qstate, &qstate->qinfo, NULL, NULL) ++ && sq->ecs_client_in.subnet_validdata) { + qstate->no_cache_store = 0; + } + +@@ -504,6 +506,69 @@ common_prefix(uint8_t *a, uint8_t *b, uint8_t net) + return !memcmp(a, b, n) && ((net % 8) == 0 || a[n] == b[n]); + } + ++/** ++ * Create sub request that looks up the query. ++ * @param qstate: query state ++ * @param sq: subnet qstate ++ * @return false on failure. ++ */ ++static int ++generate_sub_request(struct module_qstate *qstate, struct subnet_qstate* sq) ++{ ++ struct module_qstate* subq = NULL; ++ uint16_t qflags = 0; /* OPCODE QUERY, no flags */ ++ int prime = 0; ++ int valrec = 0; ++ struct query_info qinf; ++ qinf.qname = qstate->qinfo.qname; ++ qinf.qname_len = qstate->qinfo.qname_len; ++ qinf.qtype = qstate->qinfo.qtype; ++ qinf.qclass = qstate->qinfo.qclass; ++ qinf.local_alias = NULL; ++ ++ qflags |= BIT_RD; ++ if((qstate->query_flags & BIT_CD)!=0) { ++ qflags |= BIT_CD; ++ valrec = 1; ++ } ++ ++ fptr_ok(fptr_whitelist_modenv_attach_sub(qstate->env->attach_sub)); ++ if(!(*qstate->env->attach_sub)(qstate, &qinf, qflags, prime, valrec, ++ &subq)) { ++ return 0; ++ } ++ if(subq) { ++ /* It is possible to access the subquery module state. */ ++ if(sq->ecs_client_in.subnet_source_mask == 0 && ++ edns_opt_list_find(qstate->edns_opts_front_in, ++ qstate->env->cfg->client_subnet_opcode)) { ++ subq->no_cache_store = 1; ++ } ++ } ++ return 1; ++} ++ ++/** ++ * Perform the query without subnet ++ * @param qstate: query state ++ * @param sq: subnet qstate ++ * @return module state ++ */ ++static enum module_ext_state ++generate_lookup_without_subnet(struct module_qstate *qstate, ++ struct subnet_qstate* sq) ++{ ++ verbose(VERB_ALGO, "subnetcache: make subquery to look up without subnet"); ++ if(!generate_sub_request(qstate, sq)) { ++ verbose(VERB_ALGO, "Could not generate sub query"); ++ qstate->return_rcode = LDNS_RCODE_FORMERR; ++ qstate->return_msg = NULL; ++ return module_finished; ++ } ++ sq->wait_subquery = 1; ++ return module_wait_subquery; ++} ++ + static enum module_ext_state + eval_response(struct module_qstate *qstate, int id, struct subnet_qstate *sq) + { +@@ -539,14 +604,7 @@ eval_response(struct module_qstate *qstate, int id, struct subnet_qstate *sq) + * is still useful to put it in the edns subnet cache for + * when a client explicitly asks for subnet specific answer. */ + verbose(VERB_QUERY, "subnetcache: Authority indicates no support"); +- if(!sq->started_no_cache_store) { +- lock_rw_wrlock(&sne->biglock); +- update_cache(qstate, id); +- lock_rw_unlock(&sne->biglock); +- } +- if (sq->subnet_downstream) +- cp_edns_bad_response(c_out, c_in); +- return module_finished; ++ return generate_lookup_without_subnet(qstate, sq); + } + + /* Purposefully there was no sent subnet, and there is consequently +@@ -571,14 +629,14 @@ eval_response(struct module_qstate *qstate, int id, struct subnet_qstate *sq) + !common_prefix(s_out->subnet_addr, s_in->subnet_addr, + s_out->subnet_source_mask)) + { +- /* we can not accept, restart query without option */ ++ /* we can not accept, perform query without option */ + verbose(VERB_QUERY, "subnetcache: forged data"); + s_out->subnet_validdata = 0; + (void)edns_opt_list_remove(&qstate->edns_opts_back_out, + qstate->env->cfg->client_subnet_opcode); + sq->subnet_sent = 0; + sq->subnet_sent_no_subnet = 0; +- return module_restart_next; ++ return generate_lookup_without_subnet(qstate, sq); + } + + lock_rw_wrlock(&sne->biglock); +@@ -763,6 +821,9 @@ ecs_edns_back_parsed(struct module_qstate* qstate, int id, + } else if(sq->subnet_sent_no_subnet) { + /* The answer can be stored as scope 0, not in global cache. */ + qstate->no_cache_store = 1; ++ } else if(sq->subnet_sent) { ++ /* Need another query to be able to store in global cache. */ ++ qstate->no_cache_store = 1; + } + + return 1; +@@ -780,6 +841,32 @@ subnetmod_operate(struct module_qstate *qstate, enum module_ev event, + strmodulevent(event)); + log_query_info(VERB_QUERY, "subnetcache operate: query", &qstate->qinfo); + ++ if(sq && sq->wait_subquery_done) { ++ /* The subquery lookup returned. */ ++ if(sq->ecs_client_in.subnet_source_mask == 0 && ++ edns_opt_list_find(qstate->edns_opts_front_in, ++ qstate->env->cfg->client_subnet_opcode)) { ++ if(!sq->started_no_cache_store && ++ qstate->return_msg) { ++ lock_rw_wrlock(&sne->biglock); ++ update_cache(qstate, id); ++ lock_rw_unlock(&sne->biglock); ++ } ++ if (sq->subnet_downstream) ++ cp_edns_bad_response(&sq->ecs_client_out, ++ &sq->ecs_client_in); ++ /* It is a scope zero lookup, append edns subnet ++ * option to the querier. */ ++ subnet_ecs_opt_list_append(&sq->ecs_client_out, ++ &qstate->edns_opts_front_out, qstate, ++ qstate->region); ++ } ++ sq->wait_subquery_done = 0; ++ qstate->ext_state[id] = module_finished; ++ qstate->no_cache_store = sq->started_no_cache_store; ++ qstate->no_cache_lookup = sq->started_no_cache_lookup; ++ return; ++ } + if((event == module_event_new || event == module_event_pass) && + sq == NULL) { + struct edns_option* ecs_opt; +@@ -790,6 +877,8 @@ subnetmod_operate(struct module_qstate *qstate, enum module_ev event, + } + + sq = (struct subnet_qstate*)qstate->minfo[id]; ++ if(sq->wait_subquery) ++ return; /* Wait for that subquery to return */ + + if((ecs_opt = edns_opt_list_find( + qstate->edns_opts_front_in, +@@ -819,6 +908,14 @@ subnetmod_operate(struct module_qstate *qstate, enum module_ev event, + /* No clients are interested in result or we could not + * parse it, we don't do client subnet */ + sq->ecs_server_out.subnet_validdata = 0; ++ if(edns_opt_list_find(qstate->edns_opts_front_in, ++ qstate->env->cfg->client_subnet_opcode)) { ++ /* aggregated this deaggregated state */ ++ qstate->ext_state[id] = ++ generate_lookup_without_subnet( ++ qstate, sq); ++ return; ++ } + verbose(VERB_ALGO, "subnetcache: pass to next module"); + qstate->ext_state[id] = module_wait_module; + return; +@@ -859,6 +956,14 @@ subnetmod_operate(struct module_qstate *qstate, enum module_ev event, + } + lock_rw_unlock(&sne->biglock); + } ++ if(sq->ecs_client_in.subnet_source_mask == 0 && ++ edns_opt_list_find(qstate->edns_opts_front_in, ++ qstate->env->cfg->client_subnet_opcode)) { ++ /* client asked for resolution without edns subnet */ ++ qstate->ext_state[id] = generate_lookup_without_subnet( ++ qstate, sq); ++ return; ++ } + + sq->ecs_server_out.subnet_addr_fam = + sq->ecs_client_in.subnet_addr_fam; +@@ -895,6 +1000,8 @@ subnetmod_operate(struct module_qstate *qstate, enum module_ev event, + qstate->ext_state[id] = module_wait_module; + return; + } ++ if(sq && sq->wait_subquery) ++ return; /* Wait for that subquery to return */ + /* Query handed back by next module, we have a 'final' answer */ + if(sq && event == module_event_moddone) { + qstate->ext_state[id] = eval_response(qstate, id, sq); +@@ -943,10 +1050,27 @@ subnetmod_clear(struct module_qstate *ATTR_UNUSED(qstate), + } + + void +-subnetmod_inform_super(struct module_qstate *ATTR_UNUSED(qstate), +- int ATTR_UNUSED(id), struct module_qstate *ATTR_UNUSED(super)) ++subnetmod_inform_super(struct module_qstate *qstate, int id, ++ struct module_qstate *super) + { +- /* Not used */ ++ struct subnet_qstate* super_sq = ++ (struct subnet_qstate*)super->minfo[id]; ++ log_query_info(VERB_ALGO, "subnetcache inform_super: query", ++ &super->qinfo); ++ super_sq->wait_subquery = 0; ++ super_sq->wait_subquery_done = 1; ++ if(qstate->return_rcode != LDNS_RCODE_NOERROR || ++ !qstate->return_msg) { ++ super->return_msg = NULL; ++ super->return_rcode = LDNS_RCODE_SERVFAIL; ++ return; ++ } ++ super->return_rcode = LDNS_RCODE_NOERROR; ++ super->return_msg = dns_copy_msg(qstate->return_msg, super->region); ++ if(!super->return_msg) { ++ log_err("subnetcache: copy response, out of memory"); ++ super->return_rcode = LDNS_RCODE_SERVFAIL; ++ } + } + + size_t +diff --git a/edns-subnet/subnetmod.h b/edns-subnet/subnetmod.h +index 1ff8a23e..3893820f 100644 +--- a/edns-subnet/subnetmod.h ++++ b/edns-subnet/subnetmod.h +@@ -102,6 +102,10 @@ struct subnet_qstate { + int started_no_cache_store; + /** has the subnet module been started with no_cache_lookup? */ + int started_no_cache_lookup; ++ /** Wait for subquery that has been started for nonsubnet lookup. */ ++ int wait_subquery; ++ /** The subquery waited for is done. */ ++ int wait_subquery_done; + }; + + void subnet_data_delete(void* d, void* ATTR_UNUSED(arg)); diff --git a/meta-networking/recipes-support/unbound/unbound_1.19.3.bb b/meta-networking/recipes-support/unbound/unbound_1.19.3.bb index 076f03f2ae..7e3e37406f 100644 --- a/meta-networking/recipes-support/unbound/unbound_1.19.3.bb +++ b/meta-networking/recipes-support/unbound/unbound_1.19.3.bb @@ -16,6 +16,7 @@ SRC_URI = "git://github.com/NLnetLabs/unbound.git;protocol=https;nobranch=1 \ file://CVE-2024-43167.patch \ file://CVE-2024-43168_1.patch \ file://CVE-2024-43168_2.patch \ + file://CVE-2025-5994.patch \ " SRCREV = "48b6c60a24e9a5d6d369a7a37c9fe2a767f26abd"